From mattandsusanperry@alltel.net Sat May 2 07:27:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31C093A6CD9 for ; Sat, 2 May 2009 07:27:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.886 X-Spam-Level: X-Spam-Status: No, score=-0.886 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, TVD_RCVD_IP=1.931, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nH5lNVrBBtxz for ; Sat, 2 May 2009 07:27:11 -0700 (PDT) Received: from 82-149-99-11.wco.wellcom.at (82-149-99-11.wco.wellcom.at [82.149.99.11]) by core3.amsl.com (Postfix) with SMTP id DD7F73A6D62 for ; Sat, 2 May 2009 07:26:35 -0700 (PDT) To: " Date: Sat, 2 May 2009 07:26:35 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From nielsen@aegislimited.com Sun May 3 06:29:34 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C49EB28C122 for ; Sun, 3 May 2009 06:29:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.878 X-Spam-Level: X-Spam-Status: No, score=-16.878 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, DNS_FROM_RFC_BOGUSMX=1.482, HELO_EQ_DYNAMIC=1.144, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcXPDR8+z2Mh for ; Sun, 3 May 2009 06:29:33 -0700 (PDT) Received: from host220-225-dynamic.0-87-r.retail.telecomitalia.it (host220-225-dynamic.0-87-r.retail.telecomitalia.it [87.0.225.220]) by core3.amsl.com (Postfix) with SMTP id 0FD2328C0EE for ; Sun, 3 May 2009 06:29:31 -0700 (PDT) To: " Date: Sun, 3 May 2009 06:29:31 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From krissy133@advgra.com Sun May 3 17:26:53 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C1DD43A63D3 for ; Sun, 3 May 2009 17:26:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -21.606 X-Spam-Level: X-Spam-Status: No, score=-21.606 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_IMAGE_ONLY_20=1.546, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFHHYz9RH9Bh for ; Sun, 3 May 2009 17:26:52 -0700 (PDT) Received: from alta247.com (unknown [200.204.244.147]) by core3.amsl.com (Postfix) with SMTP id 7237C3A7113 for ; Sun, 3 May 2009 17:26:18 -0700 (PDT) To: " Date: Sun, 3 May 2009 17:26:18 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From kent_liu@acrosschina.com Sun May 3 18:08:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E535828C11F for ; Sun, 3 May 2009 18:08:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -11.422 X-Spam-Level: X-Spam-Status: No, score=-11.422 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_VERIZON_P=2.144, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_VERIZON_POOL=1.495, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51TNsvxlI0Y4 for ; Sun, 3 May 2009 18:08:20 -0700 (PDT) Received: from pool-71-184-212-170.bstnma.fios.verizon.net (pool-71-184-212-170.bstnma.fios.verizon.net [71.184.212.170]) by core3.amsl.com (Postfix) with SMTP id 56EA03A6FE0 for ; Sun, 3 May 2009 18:08:18 -0700 (PDT) To: " Date: Sun, 3 May 2009 18:08:18 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Mon May 4 07:23:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6998E3A6BAE; Mon, 4 May 2009 07:23:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.524 X-Spam-Level: X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7XsLMxZ3WGz; Mon, 4 May 2009 07:23:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D31593A68B0; Mon, 4 May 2009 07:23:22 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M0yy0-0003by-Ok for namedroppers-data0@psg.com; Mon, 04 May 2009 14:16:24 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M0yxm-0003ar-La for namedroppers@ops.ietf.org; Mon, 04 May 2009 14:16:17 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n44EG0Xk085814; Mon, 4 May 2009 16:16:00 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905041416.n44EG0Xk085814@givry.fdupont.fr> From: Francis Dupont To: Edward Lewis cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt In-reply-to: Your message of Mon, 27 Apr 2009 16:34:39 EDT. Date: Mon, 04 May 2009 16:16:00 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: >Abstract => changed goal into purpose and added something about MD5 and TKEY. >1. Introduction "lower than expected" -> "weaker than expected"? (RFC 4635 uses "stronger") > 1. Mark HMAC-MD5.SIG-ALG.REG.INT as optional in the TSIG algorithm > name registry managed by the IANA under the IETF Review Policy > [RFC5226] Can we mark it "historic" instead of "optional?" Or even "deprecated?" => about this (and similar other comments): this point was proposed but was rejected by rough consensus. The two problems are: - there is no deprecated or historic requirement keywords - there is no crypto reason to ban HMAC-MD5 >5. Availability Considerations And SHA1 "is [eventually?} likely to suffer" - any time soon? This doc title is about HMAC-MD5, not SHA1. => SHA1 end of life is planned in 2010 (cf NIST, BTW 2010 is next year) so even there is nothing against HMAC-SHA1 the same availability problem could occur so between the two remaining "mandatory to support" algos HMAC-SHA256 is the best candidate. BTW I agree it is far too soon to say more about SHA1. >6. Security Considerations That's okay for HMAC-MD5 if there is a reference to a statement it is obsolete, => it is not obsolete, it is just no longer available. And I can't add a cryto reference about a HMAC-MD5 weakness (just because there is none), MD5 itself being out of context. So as it is written "this document does not assume anything about the cryptographic security of different hash algorithms." I'd drop any change to SHA1 for now => no problem: there is no change to SHA1. and add pointers to HMAC analysis to support this assertion. => which assertion? I've carefully avoided any assertion about cryptography in the security considerations. Thanks Francis.Dupont@fdupont.fr PS: the whole document is about how to allow both "certified" and "compliant" in the "use a certified cryptography module in a compliant TSIG implementation" where: - "certified" means for instance FIPS 140-2 certified - "compliant" means all mandatory to support algos, in particular HMAC-MD5, are supported - "use" means more than usual because of the certified (cf FIPS 140-2 Implementation Guidance section G.5 guidelines) - "TSIG implementation" is of course any DNS tool which implements TSIG so it is really an availability problem... -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From liborivey@advantagewebcms.com Mon May 4 19:18:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DC493A6D3A for ; Mon, 4 May 2009 19:18:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -26.155 X-Spam-Level: X-Spam-Status: No, score=-26.155 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_RELAY_NODNS=1.451, HELO_EQ_BIZ=0.288, HELO_MISMATCH_BIZ=0.443, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RDNS_NONE=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXKz9rJi6iS7 for ; Mon, 4 May 2009 19:18:49 -0700 (PDT) Received: from 012.net.il (unknown [189.102.152.170]) by core3.amsl.com (Postfix) with SMTP id F42263A6A7F for ; Mon, 4 May 2009 19:18:46 -0700 (PDT) To: " Date: Mon, 4 May 2009 19:18:46 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From jbt@aacanet.org Tue May 5 07:38:44 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9112E3A6D56 for ; Tue, 5 May 2009 07:38:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.443 X-Spam-Level: X-Spam-Status: No, score=-9.443 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_RELAY_NODNS=1.451, HELO_EQ_BR=0.955, HELO_MISMATCH_BR=2.4, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIkSRE79LVK0 for ; Tue, 5 May 2009 07:38:42 -0700 (PDT) Received: from accortour.com.br (unknown [77.228.1.112]) by core3.amsl.com (Postfix) with SMTP id DCF413A68B2 for ; Tue, 5 May 2009 07:38:36 -0700 (PDT) To: " Date: Tue, 5 May 2009 07:38:36 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Tue May 5 09:37:31 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01FEB3A6CE9; Tue, 5 May 2009 09:37:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6BfTQaCS4clU; Tue, 5 May 2009 09:37:30 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CF0313A6E1E; Tue, 5 May 2009 09:37:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1NWz-0005kh-3p for namedroppers-data0@psg.com; Tue, 05 May 2009 16:30:09 +0000 Received: from [2001:1890:1112:1::20] (helo=mail.ietf.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1NWb-0005ig-7a for namedroppers@ops.ietf.org; Tue, 05 May 2009 16:29:51 +0000 Received: by core3.amsl.com (Postfix, from userid 30) id 976A23A6DDD; Tue, 5 May 2009 09:28:16 -0700 (PDT) X-idtracker: yes To: IETF-Announce From: The IESG Subject: [dnsext] Last Call: draft-ietf-dnsext-dnsproxy (DNS Proxy Implementation Guidelines) to BCP Reply-to: ietf@ietf.org CC: Message-Id: <20090505162816.976A23A6DDD@core3.amsl.com> Date: Tue, 5 May 2009 09:28:16 -0700 (PDT) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: The IESG has received a request from the DNS Extensions WG (dnsext) to consider the following document: - 'DNS Proxy Implementation Guidelines ' as a BCP The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2009-05-19. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. The file can be obtained via http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnsproxy-05.txt IESG discussion can be tracked via https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=18026&rfc_flag=0 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From mckee@amitylake.com Tue May 5 13:08:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B84A83A67EC for ; Tue, 5 May 2009 13:08:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.805 X-Spam-Level: X-Spam-Status: No, score=-12.805 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, HTML_IMAGE_ONLY_20=1.546, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrrzXVSeiWFJ for ; Tue, 5 May 2009 13:08:38 -0700 (PDT) Received: from 91stb76.codetel.net.do (91stb76.codetel.net.do [66.98.26.91]) by core3.amsl.com (Postfix) with SMTP id 029993A6AA4 for ; Tue, 5 May 2009 13:08:36 -0700 (PDT) To: " Date: Tue, 5 May 2009 13:08:36 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From ndndd@alcoholconcern.org.uk Tue May 5 19:22:25 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34D7B3A68ED for ; Tue, 5 May 2009 19:22:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -33.444 X-Spam-Level: X-Spam-Status: No, score=-33.444 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nq-Huy0lH108 for ; Tue, 5 May 2009 19:22:24 -0700 (PDT) Received: from cuscon116670.tstt.net.tt (cuscon116670.tstt.net.tt [190.59.77.226]) by core3.amsl.com (Postfix) with SMTP id D13E73A68AA for ; Tue, 5 May 2009 19:22:16 -0700 (PDT) To: " Date: Tue, 5 May 2009 19:22:16 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From llink@ah.org Wed May 6 07:29:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E0433A67A3 for ; Wed, 6 May 2009 07:29:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -47.378 X-Spam-Level: X-Spam-Status: No, score=-47.378 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, HELO_EQ_JP=1.244, HELO_EQ_NE_JP=1.244, HOST_EQ_JP=1.265, HOST_EQ_NE_JP=2.599, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpzE70oWJoYL for ; Wed, 6 May 2009 07:29:00 -0700 (PDT) Received: from p8208-ipngn401funabasi.chiba.ocn.ne.jp (p8208-ipngn401funabasi.chiba.ocn.ne.jp [114.158.223.208]) by core3.amsl.com (Postfix) with SMTP id 2632A3A6DE5 for ; Wed, 6 May 2009 07:28:36 -0700 (PDT) To: " Date: Wed, 6 May 2009 07:28:36 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From ruwharig@fotosxxx.com Wed May 6 07:59:31 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7756A3A6F23 for ; Wed, 6 May 2009 07:59:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -41.7 X-Spam-Level: X-Spam-Status: No, score=-41.7 tagged_above=-999 required=5 tests=[BAYES_80=2, HELO_DYNAMIC_HCC=4.295, HELO_EQ_DSL=1.129, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZI38SPPY0LV7 for ; Wed, 6 May 2009 07:59:25 -0700 (PDT) Received: from bl8-95-218.dsl.telepac.pt (bl8-95-218.dsl.telepac.pt [85.241.95.218]) by core3.amsl.com (Postfix) with ESMTP id 8F6733A68D1 for ; Wed, 6 May 2009 07:57:34 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 6 May 2009 15:59:21 +0100 To: dnsext-archive@ietf.org From: Mario Carnrike Subject: Your wife's friend Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_87160399==.ALT" Message-Id: <20090506145734.8F6733A68D1@core3.amsl.com> --=====================_87160399==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Greatest sale on hypertension category! Enter to see more right now http://www.gokwuyih.cn/ --=====================_87160399==.ALT Content-Type: text/html; charset="us-ascii" Greatest sale on hypertension category! Enter to see more right now http://www.gokwuyih.cn/ --=====================_87160399==.ALT-- From saesimed_2002@fotosxxx.com Wed May 6 08:01:05 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A2F228C1AD for ; Wed, 6 May 2009 08:01:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -40.2 X-Spam-Level: X-Spam-Status: No, score=-40.2 tagged_above=-999 required=5 tests=[BAYES_99=3.5, HELO_DYNAMIC_HCC=4.295, HELO_EQ_DSL=1.129, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3vLrAYhcjPJi for ; Wed, 6 May 2009 08:00:59 -0700 (PDT) Received: from bl8-95-218.dsl.telepac.pt (bl8-95-218.dsl.telepac.pt [85.241.95.218]) by core3.amsl.com (Postfix) with ESMTP id 7273E28C0F6 for ; Wed, 6 May 2009 07:59:20 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 6 May 2009 16:01:07 +0100 To: dnsext-archive@lists.ietf.org From: Santo Hummingbird Subject: Mike gave your mail Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_51573345==.ALT" Message-Id: <20090506145920.7273E28C0F6@core3.amsl.com> --=====================_51573345==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Right now you have a chance to save 80% on anti-stress products! Don't waste it http://www.gokwuyih.cn/ --=====================_51573345==.ALT Content-Type: text/html; charset="us-ascii" Right now you have a chance to save 80% on anti-stress products! Don't waste it http://www.gokwuyih.cn/ --=====================_51573345==.ALT-- From bergie@matrixti.com Wed May 6 09:35:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E24603A68CB; Wed, 6 May 2009 09:35:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -13.925 X-Spam-Level: X-Spam-Status: No, score=-13.925 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_RU=0.595, HOST_EQ_BROADBND=1.118, HOST_EQ_RU=0.875, J_CHICKENPOX_42=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RDNS_DYNAMIC=0.1, SARE_SPEC_ROLEX_NOV5A=1.062, SARE_SPEC_ROLEX_NOV5F=0.666, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnYckbnjuaTv; Wed, 6 May 2009 09:35:27 -0700 (PDT) Received: from 93-81-21-56.broadband.corbina.ru (93-81-21-56.broadband.corbina.ru [93.81.21.56]) by core3.amsl.com (Postfix) with SMTP id 7F58E28C0F6; Wed, 6 May 2009 09:31:50 -0700 (PDT) From: "Sonia Sheets" TO: <"aaa-archive@lists.ietf.org, atommib-archive@lists.ietf.org, capwap-archive@lists.ietf.org, dnsext-archive@lists.ietf.org, idn-archive"@lists.ietf.org> Subject: Save 80% on Brand name rep watches Date: Wed, 06 May 2009 12:33:17 -0500 Message-ID: <57880qwfh799RZBGOaaa-archive@lists.ietf.org> Content-Type: text/plain; Content-Transfer-Encoding: 7Bit A fine designer watch says means refinement and money. A fine, non-expensive designer watch also means intelligence! http://safoijo.cn So, come visit Diam0nd Reps, the famous watch-portal where thousands of satisfied customers have already found that superb imitation time piece for just a few hundred dollars. http://safoijo.cn Don't delay your pleasure: our incredible watch collection awaits you at Diam0nd Reps, so come visit us now! From Laura-0edaps@asabasket.asso.fr Wed May 6 12:50:17 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B6D93A69EC for ; Wed, 6 May 2009 12:50:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -88.134 X-Spam-Level: X-Spam-Status: No, score=-88.134 tagged_above=-999 required=5 tests=[BAYES_99=3.5, HELO_EQ_CZ=0.445, HOST_EQ_BROADBND=1.118, HOST_EQ_CZ=0.904, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRtqEhlO7KUk for ; Wed, 6 May 2009 12:50:11 -0700 (PDT) Received: from 22.23.broadband11.iol.cz (22.23.broadband11.iol.cz [90.178.23.22]) by core3.amsl.com (Postfix) with ESMTP id E3D723A6ABC for ; Wed, 6 May 2009 12:50:10 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 6 May 2009 21:51:39 +0200 To: dnsext-archive@ietf.org From: Laura Kostura Subject: I seek for you all day Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_11135509==.ALT" Message-Id: <20090506195010.E3D723A6ABC@core3.amsl.com> --=====================_11135509==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Best way to prevent falling ill is buying our goods in the Web http://www.ceynofos.cn/ --=====================_11135509==.ALT Content-Type: text/html; charset="us-ascii" Best way to prevent falling ill is buying our goods in the Web http://www.ceynofos.cn/ --=====================_11135509==.ALT-- From 0kcordeb_1964@asabasket.asso.fr Wed May 6 12:51:55 2009 Return-Path: <0kcordeb_1964@asabasket.asso.fr> X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 655A03A6920 for ; Wed, 6 May 2009 12:51:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -88.134 X-Spam-Level: X-Spam-Status: No, score=-88.134 tagged_above=-999 required=5 tests=[BAYES_99=3.5, HELO_EQ_CZ=0.445, HOST_EQ_BROADBND=1.118, HOST_EQ_CZ=0.904, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U2pe3Nw+sht3 for ; Wed, 6 May 2009 12:51:50 -0700 (PDT) Received: from 22.23.broadband11.iol.cz (22.23.broadband11.iol.cz [90.178.23.22]) by core3.amsl.com (Postfix) with ESMTP id 0D6F23A6873 for ; Wed, 6 May 2009 12:51:49 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 6 May 2009 21:53:18 +0200 To: dnsext-archive@lists.ietf.org From: Annice Grumbine Subject: Hello, what's up? Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_43595600==.ALT" Message-Id: <20090506195150.0D6F23A6873@core3.amsl.com> --=====================_43595600==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Best provider of supplements in the Net. Our prices will please you http://www.ceynofos.cn/ --=====================_43595600==.ALT Content-Type: text/html; charset="us-ascii" Best provider of supplements in the Net. Our prices will please you http://www.ceynofos.cn/ --=====================_43595600==.ALT-- From kweise@akingump.com Wed May 6 12:57:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8BEA3A6B5E for ; Wed, 6 May 2009 12:57:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.7 X-Spam-Level: **** X-Spam-Status: No, score=4.7 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_BR=0.955, HELO_EQ_DSL=1.129, HELO_EQ_TELESP=1.245, HOST_EQ_BR=1.295, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, SARE_RECV_SPAM_DOMN02=1.666, TVD_RCVD_IP=1.931, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pwuPEiZbjF8f for ; Wed, 6 May 2009 12:57:09 -0700 (PDT) Received: from 201-27-53-209.dsl.telesp.net.br (201-42-132-31.dsl.telesp.net.br [201.42.132.31]) by core3.amsl.com (Postfix) with SMTP id A51F83A68D1 for ; Wed, 6 May 2009 12:57:06 -0700 (PDT) To: " Date: Wed, 6 May 2009 12:57:06 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Wed May 6 13:33:52 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D2DD3A6F07; Wed, 6 May 2009 13:33:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.589 X-Spam-Level: X-Spam-Status: No, score=-102.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bmqps2YxyswB; Wed, 6 May 2009 13:33:50 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C030F3A6EFA; Wed, 6 May 2009 13:33:50 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1nhk-000F5D-BC for namedroppers-data0@psg.com; Wed, 06 May 2009 20:27:00 +0000 Received: from [2001:41e0:ff00:0:216:3eff:fe00:4] (helo=abaddon.unfix.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1nhO-000F3I-Nu for namedroppers@ops.ietf.org; Wed, 06 May 2009 20:26:44 +0000 Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0] (spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 22EC9401FE8 for ; Wed, 6 May 2009 22:26:35 +0200 (CEST) Message-ID: <4A01F27B.10404@spaghetti.zurich.ibm.com> Date: Wed, 06 May 2009 22:26:35 +0200 From: Jeroen Massar Organization: Unfix User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090302 Lightning/0.9 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666 MIME-Version: 1.0 To: Name Droppers Subject: [dnsext] Domain "Flag" to indicate (non-)availability of automatic DNS updates for reverse DNS X-Enigmail-Version: 0.95.7 OpenPGP: id=333E7C23 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF842B7CDDCA78E6FBBFFED67" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF842B7CDDCA78E6FBBFFED67 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, I guess quite a few ISPs who are providing public IP addresses to their customers must be seeing these and then loads of them on their NS's: May 5 14:15:14 noc named[26139]: client xxxx:xxxx:xxxx::x#3421046: update '3.2.1.8.b.d.1.0.0.2.ip6.arpa/IN' denied or the IPv4 equivalent. Now I know that most of these will come from Windows as they have this setting activated per default and one could if running inside an Active Directory turn those off easily, but in the case where one doesn't have control over the hosts in question it would be nice if there was a flag for indicating that the zone is able or not to update, and possibly where to send updates. Is there such a mechanism already? If there is no such option, maybe something like: $ORIGIN 3.2.1.8.b.d.1.0.0.2.ip6.arpa. @ DDNS . or: @ DDNS ddns-updates.example.net. The first indicating there is no updating host, the latter indicating where to send updates, as otherwise the NS in the SOA will always get the queries and maybe that is not the correct location. note: finding the ORIGIN of the zone where that record is available is of course a tricky thing, IPv6 it is most likely at the /64 level but it could be higher up, would a per-nibble-scan then be the idea, for IPv4 one would be fine with 4 queries there to check what can be done. (of course if we had the above mechanism one would still get it deployed, but at least it would resolve it for newly installed/upgraded hosts) Greets, Jeroen --------------enigF842B7CDDCA78E6FBBFFED67 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFKAfJ7KaooUjM+fCMRAuv5AKC2/xQL/2ZorlKYid/cvTvymXICvwCgoBU+ Y+pQ2P9q1jQBbJoISuH8Iuk= =gQTH -----END PGP SIGNATURE----- --------------enigF842B7CDDCA78E6FBBFFED67-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 6 16:51:55 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 849883A6FA1; Wed, 6 May 2009 16:51:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.549 X-Spam-Level: X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6VmXSyn2mP7; Wed, 6 May 2009 16:51:54 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 47C553A6FD0; Wed, 6 May 2009 16:51:05 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1qnq-0000d6-JA for namedroppers-data0@psg.com; Wed, 06 May 2009 23:45:30 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1qnR-0000bB-LY for namedroppers@ops.ietf.org; Wed, 06 May 2009 23:45:21 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id A1FB0E6050; Wed, 6 May 2009 23:45:04 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n46Nj1HK067601; Thu, 7 May 2009 09:45:02 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905062345.n46Nj1HK067601@drugs.dv.isc.org> To: Jeroen Massar Cc: Name Droppers From: Mark Andrews Subject: Re: [dnsext] Domain "Flag" to indicate (non-)availability of automatic DNS updates for reverse DNS In-reply-to: Your message of "Wed, 06 May 2009 22:26:35 +0200." <4A01F27B.10404@spaghetti.zurich.ibm.com> Date: Thu, 07 May 2009 09:45:01 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <4A01F27B.10404@spaghetti.zurich.ibm.com>, Jeroen Massar writes: > This is an OpenPGP/MIME signed message (RFC 2440 and 3156) > --------------enigF842B7CDDCA78E6FBBFFED67 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > Hi, > > I guess quite a few ISPs who are providing public IP addresses to their > customers must be seeing these and then loads of them on their NS's: > > May 5 14:15:14 noc named[26139]: client xxxx:xxxx:xxxx::x#3421046: > update '3.2.1.8.b.d.1.0.0.2.ip6.arpa/IN' denied > > or the IPv4 equivalent. Now I know that most of these will come from > Windows as they have this setting activated per default and one could if > running inside an Active Directory turn those off easily, but in the > case where one doesn't have control over the hosts in question it would > be nice if there was a flag for indicating that the zone is able or not > to update, and possibly where to send updates. Is there such a mechanism > already? > > If there is no such option, maybe something like: > $ORIGIN 3.2.1.8.b.d.1.0.0.2.ip6.arpa. > @ DDNS . > > or: > @ DDNS ddns-updates.example.net. > > The first indicating there is no updating host, the latter indicating > where to send updates, as otherwise the NS in the SOA will always get > the queries and maybe that is not the correct location. > > note: finding the ORIGIN of the zone where that record is available is > of course a tricky thing, IPv6 it is most likely at the /64 level but it > could be higher up, would a per-nibble-scan then be the idea, for IPv4 > one would be fine with 4 queries there to check what can be done. > > (of course if we had the above mechanism one would still get it > deployed, but at least it would resolve it for newly installed/upgraded > hosts) > > Greets, > Jeroen Or realise that end hosts SHOULD have the ability to update their PTR records to reflect their own names. Remember ISP's are leasing the addresses to the hosts. ISP's don't own the host and they shouldn't be forcing name constraints on the hosts. IN-ADDR.ARPA and IP6.ARPA are delegated to the ISP so that the hostnames of the machines at the addresses can be registered in the DNS. It's not there, despite what some ISP's think, for their naming schemes. If I'm leasing a shop then I get to choose the name of the shop, not the person I'm leasing the shop from. The real question is how to do this so that spoofed updates are not processed. A update over TCP should be strong enough for this. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 6 17:24:57 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25FCC28C110; Wed, 6 May 2009 17:24:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.547 X-Spam-Level: X-Spam-Status: No, score=-5.547 tagged_above=-999 required=5 tests=[AWL=-1.052, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbHVTu21x+De; Wed, 6 May 2009 17:24:56 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 48C3828C0FA; Wed, 6 May 2009 17:24:56 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1rMu-0002rw-BI for namedroppers-data0@psg.com; Thu, 07 May 2009 00:21:44 +0000 Received: from [64.18.2.26] (helo=exprod7og124.obsmtp.com) by psg.com with smtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1rMg-0002qu-RA for namedroppers@ops.ietf.org; Thu, 07 May 2009 00:21:37 +0000 Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob124.postini.com ([64.18.6.12]) with SMTP ID DSNKSgIphkhj+MkFqNGDRgHK1+Gei4SPK5/t@postini.com; Wed, 06 May 2009 17:21:30 PDT Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 367DC1B830E; Wed, 6 May 2009 17:21:40 -0700 (PDT) Received: from [10.0.1.106] (67.9.133.211) by exchange-01.win.nominum.com (64.89.228.50) with Microsoft SMTP Server (TLS) id 8.1.336.0; Wed, 6 May 2009 17:21:26 -0700 CC: Jeroen Massar , Name Droppers Message-ID: <6010D0D0-BA8B-461E-B252-A1913F2F6591@nominum.com> From: Ted Lemon To: Mark Andrews In-Reply-To: <200905062345.n46Nj1HK067601@drugs.dv.isc.org> Content-Type: text/plain; charset="US-ASCII"; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit MIME-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Domain "Flag" to indicate (non-)availability of automatic DNS updates for reverse DNS Date: Wed, 6 May 2009 19:21:24 -0500 References: <200905062345.n46Nj1HK067601@drugs.dv.isc.org> X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 6, 2009, at 6:45 PM, Mark Andrews wrote: > The real question is how to do this so that spoofed updates > are not processed. A update over TCP should be strong > enough for this. CGA would work nicely for IPv6. TCP depends on there being good isolation between hosts on the local network, which I don't think is a valid assumption. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 6 18:07:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A09883A6E75; Wed, 6 May 2009 18:07:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.561 X-Spam-Level: X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpRvqXrr+-Q6; Wed, 6 May 2009 18:07:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B56863A6A94; Wed, 6 May 2009 18:07:28 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1rzZ-0005BI-NE for namedroppers-data0@psg.com; Thu, 07 May 2009 01:01:41 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1rzK-0005Ah-Ik for namedroppers@ops.ietf.org; Thu, 07 May 2009 01:01:34 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 98BFAE6056; Thu, 7 May 2009 01:01:25 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4711K7G068600; Thu, 7 May 2009 11:01:20 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905070101.n4711K7G068600@drugs.dv.isc.org> To: Ted Lemon Cc: Jeroen Massar , Name Droppers From: Mark Andrews Subject: Re: [dnsext] Domain "Flag" to indicate (non-)availability of automatic DNS updates for reverse DNS In-reply-to: Your message of "Wed, 06 May 2009 19:21:24 EST." <6010D0D0-BA8B-461E-B252-A1913F2F6591@nominum.com> Date: Thu, 07 May 2009 11:01:20 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <6010D0D0-BA8B-461E-B252-A1913F2F6591@nominum.com>, Ted Lemon writes: > On May 6, 2009, at 6:45 PM, Mark Andrews wrote: > > The real question is how to do this so that spoofed updates > > are not processed. A update over TCP should be strong > > enough for this. > > CGA would work nicely for IPv6. Agreed but that also requires protocol work to add signature method. > TCP depends on there being good > isolation between hosts on the local network, which I don't think is a > valid assumption. It should be reasonable for many situations. Looking at my cable connection I can't see any of my neighbor's traffic so to spoof this requires a blind TCP spoof. Add some ingress filtering and this is almost impossible to break. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 6 22:48:58 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B29FE3A6C93; Wed, 6 May 2009 22:48:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YuomfWKXagtt; Wed, 6 May 2009 22:48:57 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7ED9E3A67F1; Wed, 6 May 2009 22:48:56 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1wMG-000KrL-Te for namedroppers-data0@psg.com; Thu, 07 May 2009 05:41:24 +0000 Received: from [2607:f2c0:ffff:0:213:20ff:fe1b:3bfe] (helo=monster.hopcount.ca) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1wLp-000KpD-6r for namedroppers@ops.ietf.org; Thu, 07 May 2009 05:41:17 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=hopcount.ca; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=V/S1VN5drssIshJ5N7HhGC4ObF9Bqj1/A0dYcO+rPPp98inDt3XvwzuFjv5ng2clrnj+mSSgZlGnDXK26yt2nXVjn5eX1lqc2peKQYNQaP5VgtMviL/pHRx5A1OMwlPV; Received: from [84.35.81.2] (helo=[192.168.48.232]) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1wLk-0002ed-JB; Thu, 07 May 2009 05:40:53 +0000 Cc: Name Droppers Message-Id: <3F4D37B8-2435-4525-B584-EA341EDD8ADE@hopcount.ca> From: Joe Abley To: Jeroen Massar In-Reply-To: <4A01F27B.10404@spaghetti.zurich.ibm.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Domain "Flag" to indicate (non-)availability of automatic DNS updates for reverse DNS Date: Thu, 7 May 2009 07:40:49 +0200 References: <4A01F27B.10404@spaghetti.zurich.ibm.com> X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 6-May-2009, at 22:26, Jeroen Massar wrote: > I guess quite a few ISPs who are providing public IP addresses to > their > customers must be seeing these and then loads of them on their NS's: > > May 5 14:15:14 noc named[26139]: client xxxx:xxxx:xxxx::x#3421046: > update '3.2.1.8.b.d.1.0.0.2.ip6.arpa/IN' denied > > or the IPv4 equivalent. Now I know that most of these will come from > Windows as they have this setting activated per default and one > could if > running inside an Active Directory turn those off easily, but in the > case where one doesn't have control over the hosts in question it > would > be nice if there was a flag for indicating that the zone is able or > not > to update, and possibly where to send updates. Is there such a > mechanism > already? There's a mechanism available which is in use by some people, but which when presented to dnsop led to much frowning and the document withered on the vine. http://tools.ietf.org/id/draft-jabley-dnsop-missing-mname-00.txt The principle objection from memory was that this approach might cause yet more junk traffic to be received by the root servers. There was some sympathy for the fact that there is no good mechanism available to signal "DDNS not available" but in general there was no consensus that this was a real problem that needed solving. Joe -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 6 23:51:44 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A38FC3A68DA; Wed, 6 May 2009 23:51:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.59 X-Spam-Level: X-Spam-Status: No, score=-102.59 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MW3DiYl2e4XJ; Wed, 6 May 2009 23:51:43 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4B1D83A6E56; Wed, 6 May 2009 23:51:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1xN1-000PHQ-7m for namedroppers-data0@psg.com; Thu, 07 May 2009 06:46:15 +0000 Received: from [2001:41e0:ff00:0:216:3eff:fe00:4] (helo=abaddon.unfix.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M1xMn-000PGl-RD for namedroppers@ops.ietf.org; Thu, 07 May 2009 06:46:08 +0000 Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0] (spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 227C8401FE4; Thu, 7 May 2009 08:45:59 +0200 (CEST) Message-ID: <4A0283A2.5090707@spaghetti.zurich.ibm.com> Date: Thu, 07 May 2009 08:45:54 +0200 From: Jeroen Massar Organization: Unfix User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090302 Lightning/0.9 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666 MIME-Version: 1.0 To: Mark Andrews CC: Name Droppers Subject: Re: [dnsext] Domain "Flag" to indicate (non-)availability of automatic DNS updates for reverse DNS References: <200905062345.n46Nj1HK067601@drugs.dv.isc.org> In-Reply-To: <200905062345.n46Nj1HK067601@drugs.dv.isc.org> X-Enigmail-Version: 0.95.7 OpenPGP: id=333E7C23 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig0B7E8CDF638C6499AF7A608C" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0B7E8CDF638C6499AF7A608C Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Mark Andrews wrote: [..] > Or realise that end hosts SHOULD have the ability to update > their PTR records to reflect their own names. Remember > ISP's are leasing the addresses to the hosts. ISP's don't > own the host and they shouldn't be forcing name constraints > on the hosts. Well, that is actually the fun part. SixXS actually allows one to delegate the subnet reverse* DNS to a DNS server of ones own choosing. Not everybody does that though and thus the updates end up at us. Coming to think of it, maybe an other route is to per-default set a "NS =2E" or something like that making the delegation lame? Though that is I think also not a proper way to solve it. > The real question is how to do this so that spoofed updates > are not processed. A update over TCP should be strong > enough for this. As in this case it involves tunnels we can do full RPF checks on the packets and are sure that when it arrives to us that those packets really originate from there. In a shared (eg cable) environment or where one does not have such a strict hierarchy it becomes harder. The point in this question was simply that we don't want to handle the DDNS updates, which do end up at our boxes. In these cases people are not aware that they can configure a reverse DNS server, even though they have the possibility to do so, and as it is enabled per default on Windows it still happens. Greets, Jeroen * =3D we have /64's over the tunnel, where ::1 is the PoP (us) and ::2 is= the users endpoint, these one cannot change for reverse DNS, but they are are already pre-populated, the /48 one can route to ::2 though is fully theirs an they can configure multiple DNS servers there and even to DNSSEC on them. --------------enig0B7E8CDF638C6499AF7A608C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFKAoOmKaooUjM+fCMRArf4AKDCjQpJiD916qd7oxllXjkHzzPHGACfco8X yK0YANGNmqiyem/5A83IlEU= =qKHE -----END PGP SIGNATURE----- --------------enig0B7E8CDF638C6499AF7A608C-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From dnsdelta@genehmigung.guestbook.selfip.com Thu May 7 00:48:02 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F09543A6B7D for ; Thu, 7 May 2009 00:48:01 -0700 (PDT) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BAD HEADER, Non-encoded 8-bit data (char AE hex): From: VIAGRA \256 Official Site [...] X-Spam-Flag: NO X-Spam-Score: -54.698 X-Spam-Level: X-Spam-Status: No, score=-54.698 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_RELAY_NODNS=1.451, GB_I_LETTER=-2, HELO_MISMATCH_COM=0.553, HTML_IMAGE_ONLY_32=1.778, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, MANGLED_OFF=2.3, MIME_8BIT_HEADER=0.3, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RDNS_NONE=0.1, SARE_FROM_DRUGS=1.666, URIBL_BLACK=20, URIBL_JP_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIqHpTPXoXdV for ; Thu, 7 May 2009 00:48:01 -0700 (PDT) Received: from amerblind.outbound.ed10.com (bnz123.neoplus.adsl.tpnet.pl [83.29.15.123]) by core3.amsl.com (Postfix) with SMTP id 08B3B3A6A60 for ; Thu, 7 May 2009 00:48:00 -0700 (PDT) X-Originating-IP: [76.48.1.128] X-Originating-Email: [dnsext-archive@ietf.org] X-Sender: dnsext-archive@ietf.org To: Subject: RE: SALE 50% 0FF on Pfizer! From: VIAGRA ® Official Site MIME-Version: 1.0 Importance: High Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <20090507074801.08B3B3A6A60@core3.amsl.com> Date: Thu, 7 May 2009 00:48:00 -0700 (PDT)   Sleep Well Newsletter

WebMD Newsletter


WebMD Privacy Policy
WebMD Office of Privacy
1175 Peachtree Street, Suite 2400, Atlanta, GA 30361
© 2008 WebMD, LLC. All rights reserved.

From 61511972@inside-union.org Thu May 7 02:53:41 2009 Return-Path: <61511972@inside-union.org> X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CAE993A6B17 for ; Thu, 7 May 2009 02:53:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -37.424 X-Spam-Level: X-Spam-Status: No, score=-37.424 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DYN_RDNS_AND_INLINE_IMAGE=0.001, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, GB_I_LETTER=-2, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_DYNAMIC=1.144, HTML_IMAGE_ONLY_08=1.787, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_1=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u40sdyzWYZSu for ; Thu, 7 May 2009 02:53:40 -0700 (PDT) Received: from 86-41-89-219-dynamic.b-ras2.chf.cork.eircom.net (86-41-89-219-dynamic.b-ras2.chf.cork.eircom.net [86.41.89.219]) by core3.amsl.com (Postfix) with ESMTP id 916F528C137 for ; Thu, 7 May 2009 02:53:38 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 7 May 2009 10:55:06 +0100 To: dnsext-archive@ietf.org From: Olive Degirolamo Subject: Trying to find you Mime-Version: 1.0 Content-Type: multipart/related; boundary="==customgeneratedbound==" Message-Id: <20090507095339.916F528C137@core3.amsl.com> --==customgeneratedbound== Content-Type: multipart/alternative; boundary="=====================_35616437==.ALT" --=====================_35616437==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed We ship products worldwide. Anti-virals, anti-stress, hypertension treating http://www.cebnufew.cn/ --------------------------------------------------- Letter content was scanned by WinAntiVirus Pro 2007. No threat detected. Please visit www.winantivirus.com for more details. --=====================_35616437==.ALT Content-Type: text/html; charset="us-ascii" We ship products worldwide. Anti-virals, anti-stress, hypertension treating http://www.cebnufew.cn/

_____________________________________
Letter content was scanned
No threat detected
 www.winantivirus.com
--=====================_35616437==.ALT-- --==customgeneratedbound== Content-Type: image/gif; name="WinAntiVirus Pro 2007" Content-Transfer-Encoding: base64 Content-ID: R0lGODlheAAzAOYAAP////f39+fn58YICO/v7+9KSrUxMc4hIcYYGNYhIc4YGN4xMdYpKd4pKedC QsYQEK0pKe9CQudKSt5CQv/3jPfeGNYxMd7e3v/nUt45Oec5Oc4pKdbW1tY5Ob0YGOcxMb0QEN5K Sr29veeEhN5zc9YkJNZra6UYGK0hIed7e8ZCQpwQEN6cnLU5Oa0xMcRBHL05Oe/n585jY9MfH7gR EfnZTdomJtUgIMcVFcoWFs5aWtaMjNZjY8kWFue1tcNCHbUQEK8MDM4dHb0TE9wnJ80XF+atPemw QMZra7oSEs8dHbweFc5zc8tdJbknFbEMDMpzKd0oKK0rD74YGOy8Q8QUFNJWJ8sfH9MiIr8HB8a9 vdE1IsNBHN6fOMgvHbkMDLcmE8wXF8UICLcUFMVCHcZHIclnJcRZIcgZGaUQEL9AG/jZTcY4HM0g INQgINckJMxSI9ElJbVCQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5 BAAAAAAALAAAAAB4ADMAAAf/gACCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmajT46Bp+goaKjpKWm p6ipqqugOj6HLEwxAbS1tre4ubq7vL2+v8C1MUgshioxBALKygTNywLN0dHM0tXW09TVy9fb1t3X 2tnSz+TKWiqGBuThF+LO3+PP4e7J8vH06+DY8PXlzyIG0vULx6CgOGUGoY1jIKAdw4UGtRVkqNDZ xIoWE+rLSHHhhY7kAArE95EDBwbNaCVjcOEjtForP7okoFIAAw4XUta8efJlgJU4df60afLhLqA9 aQ692bGfAJGFDCQD9zEiTKJJrzLN+rNqTlsrC7ZTSsCr0p1FfeYqO3FsTZkY/5dBJSQVY8qYape2 NKqVq968MWfudKt1b95bSFGCtXlQ2dxBUq3tPLyUL0wCLFGeDav4MsXOlUGHprz44tmldus9FhRZ GlihiKPpkh2btOvXlJ3Bnj31tEpwjgNGrRasuPHjyINpWw2g9e5am6JL5z2NuYED2LNr3869u/fv 4MOLH0++u3C6I0JIWM9+fYH38OPLn0+/vv37+PPnb98+hP8W50GWnnr8SaDfgQgmqCCCBUrgXwgT AJjOCBNM0KCBC2ao4Yb2XVhhhRJGRWGFDpToQHscpqiigu2Z6MCHIAbI2ogTuGijAxHkqOOOPPbo 449ABinkkDve6CKME3wyIf+MDhwwwADYPRkllFIa6eSTVVop5ZVclshllkaG6eKVWEIp5pFIKiki kwMI8qSbbQIQ5wA3OlmImTfOOaebJe4p55mAxkkInmci2YELMjaXQgaMZjCBnnDCSWWZdsr5pqWU VjrpnFFKSqaUW4aK5QF9SirpqJ8e0GgGHRyaqAEpdLAqpJa6aeugevo5yKW3Xuqrrr3S6qYGGuR6 666CyqkAo626mk6ss9LypLQDSGttANNim0u12HKb7bfehnttt+JqS64CxHJrS7bkUists61C8Gqs rTI6gDJP4nuvAPv226++//Lrr774KrBvwQEPgO7AAi+jcLoAK9zvwgTz26z/BRbI+yzGFiywAMP5 8otvxf0WO3LDKIc8gMkOs1yyy/6qDDG/xM68Msz4coyxxlGRoPMCBvuTMsn4fpAwyP1+EDS/Chh9 8gAfKH3wyQVHnXTUTvPr8dL4IqBzxq/6/LPBZWKpANloo/2kAkCvvXbab6+9tdxtS6ywx3WbXSbb c9+NN9p/l+n11zzTRUJBHOOt+OKMN+7445BHLvnkkHNc0AYboBD2BhMV1MDnn1Mu+uikl8446J93 zgDmmW+uuueoxy777LTXbnvsRLxRwu682xDF7cCj/vrqmGueDgmYD89A8MyDjkDZCDTwvODSQ4+F FWS8oD0XcGxhQ/O2K896/+vHH5C88uinr/wDA1DgvvsDsP8+/PLPP8AXR2Cg//5lxKH+/+jDXHaM FxUTaCcBCEygAhfIwAY2sH0UwBL84PekCUawghTIghdoQIMgSAEDNVjCDBxIwhIqkDsneJUBD2jC FpaQffGDIAYHkAAZwq+G7hODG24wgyRQAQNnQIMLh3hCFKrQO0RMIgLZp78YNrGGTXziAJ54AwSY AQNGGMIIlVhC8KQwHSv8DhdNyL4KVCB+NTQjDQegRjWm8YwJUIITaoABMAhhjA0MDwIQ8MUCIqA8 gOxOGc9YJjU+qY2EZOMZrzCGLmAAClNoQyAneYA98lGFltzj2TbJyU568vqTn1SkGUd5yFGecZCk fAAOmoCBNTwhB6CMpSw9mUlL9pEuPKilJWfJS1DCsGwP+OWTHqAAYcZPAT1ggxp+UIVeOpOTurSk B1bwqlxGc5fPzKY2OVmEHOCgB2HYpiyvmclpvkoGHiCnOtfJzna6853w1KUH5knNdKAznfHMpz73 yc9rztMDIKhnIVQgAxUAFAQgCKZCF8rQhjr0oRCNqEQnStGHIvSiIADCCtBRCBbAQA4ugIBIR0rS kpr0pChNqUpXytKWulSkaUBBMQyxAxiw4qY4zalOdwoKGOwAEQEQmlCHStSiGvWoSE2qMgIgnaY6 9alQjapUKREIADs= --==customgeneratedbound==-- From Colene-5964794@inside-union.org Thu May 7 02:55:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E6EA3A6905 for ; Thu, 7 May 2009 02:55:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -37.424 X-Spam-Level: X-Spam-Status: No, score=-37.424 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DYN_RDNS_AND_INLINE_IMAGE=0.001, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, GB_I_LETTER=-2, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_DYNAMIC=1.144, HTML_IMAGE_ONLY_08=1.787, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_1=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FwK4qiwhIWzF for ; Thu, 7 May 2009 02:55:35 -0700 (PDT) Received: from 86-41-89-219-dynamic.b-ras2.chf.cork.eircom.net (86-41-89-219-dynamic.b-ras2.chf.cork.eircom.net [86.41.89.219]) by core3.amsl.com (Postfix) with ESMTP id B6BF928C14A for ; Thu, 7 May 2009 02:55:34 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 7 May 2009 10:57:02 +0100 To: dnsext-archive@lists.ietf.org From: Colene Montanari Subject: Call me, did you forget? Mime-Version: 1.0 Content-Type: multipart/related; boundary="==customgeneratedbound==" Message-Id: <20090507095534.B6BF928C14A@core3.amsl.com> --==customgeneratedbound== Content-Type: multipart/alternative; boundary="=====================_96209700==.ALT" --=====================_96209700==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Internet store of pilules claims discounts! Our variety is the largest http://www.cebnufew.cn/ --------------------------------------------------- Letter content was scanned by WinAntiVirus Pro 2007. No threat detected. Please visit www.winantivirus.com for more details. --=====================_96209700==.ALT Content-Type: text/html; charset="us-ascii" Internet store of pilules claims discounts! Our variety is the largest http://www.cebnufew.cn/

_____________________________________
Letter content was scanned
No threat detected
 www.winantivirus.com
--=====================_96209700==.ALT-- --==customgeneratedbound== Content-Type: image/gif; name="WinAntiVirus Pro 2007" Content-Transfer-Encoding: base64 Content-ID: R0lGODlheAAzAOYAAP////f39+fn58YICO/v7+9KSrUxMc4hIcYYGNYhIc4YGN4xMdYpKd4pKedC QsYQEK0pKe9CQudKSt5CQv/3jPfeGNYxMd7e3v/nUt45Oec5Oc4pKdbW1tY5Ob0YGOcxMb0QEN5K Sr29veeEhN5zc9YkJNZra6UYGK0hIed7e8ZCQpwQEN6cnLU5Oa0xMcRBHL05Oe/n585jY9MfH7gR EfnZTdomJtUgIMcVFcoWFs5aWtaMjNZjY8kWFue1tcNCHbUQEK8MDM4dHb0TE9wnJ80XF+atPemw QMZra7oSEs8dHbweFc5zc8tdJbknFbEMDMpzKd0oKK0rD74YGOy8Q8QUFNJWJ8sfH9MiIr8HB8a9 vdE1IsNBHN6fOMgvHbkMDLcmE8wXF8UICLcUFMVCHcZHIclnJcRZIcgZGaUQEL9AG/jZTcY4HM0g INQgINckJMxSI9ElJbVCQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5 BAAAAAAALAAAAAB4ADMAAAf/gACCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmajT46Bp+goaKjpKWm p6ipqqugOj6HLEwxAbS1tre4ubq7vL2+v8C1MUgshioxBALKygTNywLN0dHM0tXW09TVy9fb1t3X 2tnSz+TKWiqGBuThF+LO3+PP4e7J8vH06+DY8PXlzyIG0vULx6CgOGUGoY1jIKAdw4UGtRVkqNDZ xIoWE+rLSHHhhY7kAArE95EDBwbNaCVjcOEjtForP7okoFIAAw4XUta8efJlgJU4df60afLhLqA9 aQ692bGfAJGFDCQD9zEiTKJJrzLN+rNqTlsrC7ZTSsCr0p1FfeYqO3FsTZkY/5dBJSQVY8qYape2 NKqVq968MWfudKt1b95bSFGCtXlQ2dxBUq3tPLyUL0wCLFGeDav4MsXOlUGHprz44tmldus9FhRZ GlihiKPpkh2btOvXlJ3Bnj31tEpwjgNGrRasuPHjyINpWw2g9e5am6JL5z2NuYED2LNr3869u/fv 4MOLH0++u3C6I0JIWM9+fYH38OPLn0+/vv37+PPnb98+hP8W50GWnnr8SaDfgQgmqCCCBUrgXwgT AJjOCBNM0KCBC2ao4Yb2XVhhhRJGRWGFDpToQHscpqiigu2Z6MCHIAbI2ogTuGijAxHkqOOOPPbo 449ABinkkDve6CKME3wyIf+MDhwwwADYPRkllFIa6eSTVVop5ZVclshllkaG6eKVWEIp5pFIKiki kwMI8qSbbQIQ5wA3OlmImTfOOaebJe4p55mAxkkInmci2YELMjaXQgaMZjCBnnDCSWWZdsr5pqWU VjrpnFFKSqaUW4aK5QF9SirpqJ8e0GgGHRyaqAEpdLAqpJa6aeugevo5yKW3Xuqrrr3S6qYGGuR6 666CyqkAo626mk6ss9LypLQDSGttANNim0u12HKb7bfehnttt+JqS64CxHJrS7bkUists61C8Gqs rTI6gDJP4nuvAPv226++//Lrr774KrBvwQEPgO7AAi+jcLoAK9zvwgTz26z/BRbI+yzGFiywAMP5 8otvxf0WO3LDKIc8gMkOs1yyy/6qDDG/xM68Msz4coyxxlGRoPMCBvuTMsn4fpAwyP1+EDS/Chh9 8gAfKH3wyQVHnXTUTvPr8dL4IqBzxq/6/LPBZWKpANloo/2kAkCvvXbab6+9tdxtS6ywx3WbXSbb c9+NN9p/l+n11zzTRUJBHOOt+OKMN+7445BHLvnkkHNc0AYboBD2BhMV1MDnn1Mu+uikl8446J93 zgDmmW+uuueoxy777LTXbnvsRLxRwu682xDF7cCj/vrqmGueDgmYD89A8MyDjkDZCDTwvODSQ4+F FWS8oD0XcGxhQ/O2K896/+vHH5C88uinr/wDA1DgvvsDsP8+/PLPP8AXR2Cg//5lxKH+/+jDXHaM FxUTaCcBCEygAhfIwAY2sH0UwBL84PekCUawghTIghdoQIMgSAEDNVjCDBxIwhIqkDsneJUBD2jC FpaQffGDIAYHkAAZwq+G7hODG24wgyRQAQNnQIMLh3hCFKrQO0RMIgLZp78YNrGGTXziAJ54AwSY AQNGGMIIlVhC8KQwHSv8DhdNyL4KVCB+NTQjDQegRjWm8YwJUIITaoABMAhhjA0MDwIQ8MUCIqA8 gOxOGc9YJjU+qY2EZOMZrzCGLmAAClNoQyAneYA98lGFltzj2TbJyU568vqTn1SkGUd5yFGecZCk fAAOmoCBNTwhB6CMpSw9mUlL9pEuPKilJWfJS1DCsGwP+OWTHqAAYcZPAT1ggxp+UIVeOpOTurSk B1bwqlxGc5fPzKY2OVmEHOCgB2HYpiyvmclpvkoGHiCnOtfJzna6853w1KUH5knNdKAznfHMpz73 yc9rztMDIKhnIVQgAxUAFAQgCKZCF8rQhjr0oRCNqEQnStGHIvSiIADCCtBRCBbAQA4ugIBIR0rS kpr0pChNqUpXytKWulSkaUBBMQyxAxiw4qY4zalOdwoKGOwAEQEQmlCHStSiGvWoSE2qMgIgnaY6 9alQjapUKREIADs= --==customgeneratedbound==-- From owner-namedroppers@ops.ietf.org Thu May 7 09:38:47 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C67A83A7001; Thu, 7 May 2009 09:38:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.824 X-Spam-Level: X-Spam-Status: No, score=-5.824 tagged_above=-999 required=5 tests=[AWL=-0.776, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itcDGSfnjVE5; Thu, 7 May 2009 09:38:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F3FAF3A7028; Thu, 7 May 2009 09:38:15 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M26Vq-000FzL-LF for namedroppers-data0@psg.com; Thu, 07 May 2009 16:31:58 +0000 Received: from [129.6.16.226] (helo=smtp.nist.gov) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M26VM-000Fx0-6Q for namedroppers@ops.ietf.org; Thu, 07 May 2009 16:31:41 +0000 Received: from 98-140.antd.nist.gov (98-140.antd.nist.gov [129.6.140.98]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id n47GVG4K025919; Thu, 7 May 2009 12:31:18 -0400 Message-ID: <4A030CD4.4000502@nist.gov> Date: Thu, 07 May 2009 12:31:16 -0400 From: Scott Rose Organization: NIST User-Agent: Thunderbird 2.0.0.6 (X11/20070728) MIME-Version: 1.0 To: Francis Dupont CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt References: <200905041416.n44EG0Xk085814@givry.fdupont.fr> In-Reply-To: <200905041416.n44EG0Xk085814@givry.fdupont.fr> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-NIST-MailScanner: Found to be clean X-NIST-MailScanner-From: scottr@nist.gov Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Francis Dupont wrote: > In your previous mail you wrote: > > >5. Availability Considerations > > And SHA1 "is [eventually?} likely to suffer" - any time soon? This > doc title is about HMAC-MD5, not SHA1. > > => SHA1 end of life is planned in 2010 (cf NIST, BTW 2010 is next year) > so even there is nothing against HMAC-SHA1 the same availability problem > could occur so between the two remaining "mandatory to support" algos > HMAC-SHA256 is the best candidate. > BTW I agree it is far too soon to say more about SHA1. > Minor point- SHA-1 will no longer be approved for use (within the US Government only) with digital signing. HMAC-SHA1 is still acceptable if the secret string used is a sufficient length and random (i.e. generated using an approved random number generation technology). Given the recent news about SHA-1, that might change. Scott -- ---------------------------------------- Scott Rose Computer Scientist NIST ph: +1 301-975-8439 scott.rose@nist.gov http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ ----------------------------------------- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 7 10:32:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCE813A6A95; Thu, 7 May 2009 10:32:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.355 X-Spam-Level: X-Spam-Status: No, score=-3.355 tagged_above=-999 required=5 tests=[AWL=1.140, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6kyJkAip23G; Thu, 7 May 2009 10:32:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 024DD3A6B4D; Thu, 7 May 2009 10:32:15 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M27OG-000L7H-Pj for namedroppers-data0@psg.com; Thu, 07 May 2009 17:28:12 +0000 Received: from [192.245.12.227] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M27Nl-000KzQ-Rj for namedroppers@ops.ietf.org; Thu, 07 May 2009 17:27:50 +0000 Received: from [10.20.30.158] (sn87.proper.com [75.101.18.87]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n47HOwGv057270 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 7 May 2009 10:24:59 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <4A030CD4.4000502@nist.gov> References: <200905041416.n44EG0Xk085814@givry.fdupont.fr> <4A030CD4.4000502@nist.gov> Date: Thu, 7 May 2009 10:21:15 -0700 To: Scott Rose , Francis Dupont From: Paul Hoffman Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:31 PM -0400 5/7/09, Scott Rose wrote: >Minor point- >SHA-1 will no longer be approved for use (within the US Government only) >with digital signing. HMAC-SHA1 is still acceptable if the secret >string used is a sufficient length and random (i.e. generated using an >approved random number generation technology). This is not a minor point, particularly with respect to the draft. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 7 14:27:21 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E3DD3A68CF; Thu, 7 May 2009 14:27:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.522 X-Spam-Level: * X-Spam-Status: No, score=1.522 tagged_above=-999 required=5 tests=[AWL=-0.455, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nBYfa0mMLuL4; Thu, 7 May 2009 14:27:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7EFA83A68B6; Thu, 7 May 2009 14:27:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2B0H-000EER-Of for namedroppers-data0@psg.com; Thu, 07 May 2009 21:19:41 +0000 Received: from [209.86.89.65] (helo=elasmtp-kukur.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2Azu-000EBj-8S for namedroppers@ops.ietf.org; Thu, 07 May 2009 21:19:25 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=g0fCKBhfxM5/9ckVEWfwmomrLjYj0hP5REvncLLFJEyw3DD5y6V6zRx80fb+gUsd; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.103.7] (helo=ix.netcom.com) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M2Azr-0006v0-E4; Thu, 07 May 2009 17:19:16 -0400 Message-ID: <4A035039.91F6CA53@ix.netcom.com> Date: Thu, 07 May 2009 14:18:49 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Scott Rose CC: Francis Dupont , namedroppers@ops.ietf.org Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt References: <200905041416.n44EG0Xk085814@givry.fdupont.fr> <4A030CD4.4000502@nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606887b6c1d42fc1213af2315bf9fcf323601350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.103.7 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Scott and all, SHA-1 was broken/compermised over two years ago now, and NIST should have immediately discontinued it approved use at that time. This said, I for one am relieved that NIST has belatedly decided that SHA-1 is no longer approved for Govt. use. HMAC -SHA1 also should be discontinued for Govt. use ASAP. It appears that there have been some succesful breakage here as well. Key lengths of 512k or larger may still be safe for use however. Frankly I would if I were the USG, get away from HMAC all toghther ASAP as well. But that's your all's call. Basically we need to stay 2 steps ahead of the black hat Crackers. Scott Rose wrote: > Francis Dupont wrote: > > In your previous mail you wrote: > > > > >5. Availability Considerations > > > > And SHA1 "is [eventually?} likely to suffer" - any time soon? This > > doc title is about HMAC-MD5, not SHA1. > > > > => SHA1 end of life is planned in 2010 (cf NIST, BTW 2010 is next year) > > so even there is nothing against HMAC-SHA1 the same availability problem > > could occur so between the two remaining "mandatory to support" algos > > HMAC-SHA256 is the best candidate. > > BTW I agree it is far too soon to say more about SHA1. > > > Minor point- > SHA-1 will no longer be approved for use (within the US Government only) > with digital signing. HMAC-SHA1 is still acceptable if the secret > string used is a sufficient length and random (i.e. generated using an > approved random number generation technology). > > Given the recent news about SHA-1, that might change. > > Scott > > -- > ---------------------------------------- > Scott Rose Computer Scientist > NIST > ph: +1 301-975-8439 > scott.rose@nist.gov > > http://www-x.antd.nist.gov/dnssec > http://www.dnsops.gov/ > ----------------------------------------- > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From kyriacousmtpanna@akyri.com.au Thu May 7 16:37:02 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86BD23A6919 for ; Thu, 7 May 2009 16:37:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -36.155 X-Spam-Level: X-Spam-Status: No, score=-36.155 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RDNS_NONE=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDcmbQ5iJZ5R for ; Thu, 7 May 2009 16:36:55 -0700 (PDT) Received: from abeer.com (unknown [66.166.140.98]) by core3.amsl.com (Postfix) with SMTP id 1A2C33A6AB6 for ; Thu, 7 May 2009 16:36:53 -0700 (PDT) To: " Date: Thu, 7 May 2009 16:36:53 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From 33355942003@enom399.com Fri May 8 03:32:41 2009 Return-Path: <33355942003@enom399.com> X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82B503A6ABF for ; Fri, 8 May 2009 03:32:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -26.375 X-Spam-Level: X-Spam-Status: No, score=-26.375 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_BR=0.955, HELO_EQ_DSL=1.129, HOST_EQ_BR=1.295, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RYdHk4iRXbx for ; Fri, 8 May 2009 03:32:40 -0700 (PDT) Received: from 201-24-99-176.bnut3703.dsl.brasiltelecom.net.br (201-24-99-176.bnut3703.dsl.brasiltelecom.net.br [201.24.99.176]) by core3.amsl.com (Postfix) with ESMTP id 1CEC03A6AD2 for ; Fri, 8 May 2009 03:32:39 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 8 May 2009 07:34:08 -0300 To: dnsext-archive@ietf.org From: Jaqueline Murrillo Subject: Get swine flu vaccine Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_99748615==.ALT" Message-Id: <20090508103240.1CEC03A6AD2@core3.amsl.com> --=====================_99748615==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Goods for effective treatment of different category diseases. Buy more and get bonuses http://www.vaclicak.cn/ --=====================_99748615==.ALT Content-Type: text/html; charset="us-ascii" Goods for effective treatment of different category diseases. Buy more and get bonuses http://www.vaclicak.cn/ --=====================_99748615==.ALT-- From hyoutanj@itsystems2000.com Fri May 8 05:08:10 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 967E328C26E for ; Fri, 8 May 2009 05:08:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -42.603 X-Spam-Level: X-Spam-Status: No, score=-42.603 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_MODEMCABLE=0.768, HELO_EQ_PL=1.135, HOST_EQ_MODEMCABLE=1.368, HOST_EQ_PL=1.95, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_BLACK=20, URIBL_JP_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RERQz1s0t9EC for ; Fri, 8 May 2009 05:08:04 -0700 (PDT) Received: from ip-79-175-194-48.cable.smsnet.pl (ip-79-175-194-48.cable.smsnet.pl [79.175.194.48]) by core3.amsl.com (Postfix) with ESMTP id 6F04928C113 for ; Fri, 8 May 2009 05:08:02 -0700 (PDT) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 8 May 2009 14:09:31 +0200 To: dnsext-archive@lists.ietf.org From: Sindy Siprasoeuth Subject: Vaccine against swine flu Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_67676469==.ALT" Message-Id: <20090508120803.6F04928C113@core3.amsl.com> --=====================_67676469==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Hurry up to buy the last packs of Tamiflu on pre-swine-threat prices http://www.jocdukej.cn/ --=====================_67676469==.ALT Content-Type: text/html; charset="us-ascii" Hurry up to buy the last packs of Tamiflu on pre-swine-threat prices http://www.jocdukej.cn/ --=====================_67676469==.ALT-- From owner-namedroppers@ops.ietf.org Fri May 8 05:43:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A2323A6855; Fri, 8 May 2009 05:43:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.549 X-Spam-Level: X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OQw-9okyhyCM; Fri, 8 May 2009 05:43:35 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 910093A682B; Fri, 8 May 2009 05:43:35 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2PJ2-000Nmc-DK for namedroppers-data0@psg.com; Fri, 08 May 2009 12:36:00 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2PIp-000Nlj-GJ for namedroppers@ops.ietf.org; Fri, 08 May 2009 12:35:53 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n48CZb3B011469; Fri, 8 May 2009 14:35:37 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905081235.n48CZb3B011469@givry.fdupont.fr> From: Francis Dupont To: Scott Rose cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt In-reply-to: Your message of Thu, 07 May 2009 12:31:16 EDT. <4A030CD4.4000502@nist.gov> Date: Fri, 08 May 2009 14:35:37 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: Minor point- => note I agree it is minor (we don't talk about RSA-SHA1 here, i.e., the I-D is not draft-ietf-dnsext-dnssec-rsasha256). SHA-1 will no longer be approved for use (within the US Government only) with digital signing. HMAC-SHA1 is still acceptable if the secret string used is a sufficient length and random (i.e. generated using an approved random number generation technology). Given the recent news about SHA-1, that might change. => this is an example of what suggests SHA-1 could become unavailable (a drastic way to enforce no misuse of SHA-1 is just to not provide it). BTW the proposed requirements (HMAC-SHA1 and HMAC-SHA256 mandatory to support, HMAC-SHA257 recommended to use) are still good. Perhaps one day we'll have to make HMAC-SHA1 support only optional but it is clearly too soon. Regards Francis.Dupont@fdupont.fr -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 8 05:51:42 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37F2E3A6D24; Fri, 8 May 2009 05:51:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.562 X-Spam-Level: X-Spam-Status: No, score=-2.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNAXTAmMm0sv; Fri, 8 May 2009 05:51:41 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 602C63A6B7F; Fri, 8 May 2009 05:50:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2PTv-000OhX-6p for namedroppers-data0@psg.com; Fri, 08 May 2009 12:47:15 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2PTY-000OfF-Mt for namedroppers@ops.ietf.org; Fri, 08 May 2009 12:46:58 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n48Ckmtf011538; Fri, 8 May 2009 14:46:48 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905081246.n48Ckmtf011538@givry.fdupont.fr> From: Francis Dupont To: Paul Hoffman cc: Scott Rose , namedroppers@ops.ietf.org Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt In-reply-to: Your message of Thu, 07 May 2009 10:21:15 PDT. Date: Fri, 08 May 2009 14:46:48 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: At 12:31 PM -0400 5/7/09, Scott Rose wrote: >Minor point- >SHA-1 will no longer be approved for use (within the US Government only) >with digital signing. HMAC-SHA1 is still acceptable if the secret >string used is a sufficient length and random (i.e. generated using an >approved random number generation technology). This is not a minor point, particularly with respect to the draft. => note the draft here is *not* draft-ietf-dnsext-dnssec-rsasha256 but draft-ietf-dnsext-tsig-md5-deprecated. I can't see why it is not a minor point: - SHA-1 is still approved for HMAC-SHA1 and key generation (i.e., TKEY) - so one can reasonably expect to get it in US certified crypto today (i.e., the use of certified crypto and RFC compliance are still compatible) - so "if the secret..." is a constraint on use which is compatible too - the recommendation for HMAC-SHA256 seems to be compatible too (even a "if a secret..." constraint is very likely to be applied too). So this "minor point" only increases the opportunity to update TSIG and TKEY algo requirement levels. Regards Francis.Dupont@fdupont.fr PS: of course the situation is different for draft-ietf-dnsext-dnssec-rsasha256: to wait becomes less and less acceptable. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 8 05:54:04 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A6B523A7161; Fri, 8 May 2009 05:54:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.63 X-Spam-Level: X-Spam-Status: No, score=-5.63 tagged_above=-999 required=5 tests=[AWL=-0.582, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWNwADtfKIsS; Fri, 8 May 2009 05:54:02 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C43B73A7136; Fri, 8 May 2009 05:54:01 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2PXO-000P49-1L for namedroppers-data0@psg.com; Fri, 08 May 2009 12:50:50 +0000 Received: from [129.6.16.226] (helo=smtp.nist.gov) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2PWu-000Ozb-0n for namedroppers@ops.ietf.org; Fri, 08 May 2009 12:50:34 +0000 Received: from postmark.nist.gov (emailha2.nist.gov [129.6.16.198]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id n48Co8aj025599; Fri, 8 May 2009 08:50:08 -0400 Received: from [129.6.222.97] (h222097.nist.gov [129.6.222.97]) by postmark.nist.gov (8.13.1/8.13.1) with ESMTP id n48Cnta2027905; Fri, 8 May 2009 08:49:56 -0400 User-Agent: Microsoft-Entourage/12.17.0.090302 Date: Fri, 08 May 2009 08:49:55 -0400 Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt From: Scott Rose To: Francis Dupont CC: Message-ID: Thread-Topic: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt Thread-Index: AcnP23x7MGS5JqWqKESjyswpvsgfIQ== In-Reply-To: <200905081235.n48CZb3B011469@givry.fdupont.fr> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-NIST-MailScanner-Information: X-NIST-MailScanner: Found to be clean X-NIST-MailScanner-From: scottr@nist.gov Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Yes - I agree with the requirements in the current draft. I would like to see as much algorithm agility in implementations as possible, but that's beyond the scope of this draft. Currently, there is some growing concern about hmac-sha1 from the crypto folks here, so it's a good idea to have hmac-sha256 implemented as well to make transition easier without having to wait for upgrades. Scott On 5/8/09 8:35 AM, "Francis Dupont" wrote: > In your previous mail you wrote: > > Minor point- > > => note I agree it is minor (we don't talk about RSA-SHA1 here, i.e., > the I-D is not draft-ietf-dnsext-dnssec-rsasha256). > > SHA-1 will no longer be approved for use (within the US Government only) > with digital signing. HMAC-SHA1 is still acceptable if the secret > string used is a sufficient length and random (i.e. generated using an > approved random number generation technology). > > Given the recent news about SHA-1, that might change. > > => this is an example of what suggests SHA-1 could become unavailable > (a drastic way to enforce no misuse of SHA-1 is just to not provide it). > > BTW the proposed requirements (HMAC-SHA1 and HMAC-SHA256 mandatory to > support, HMAC-SHA257 recommended to use) are still good. Perhaps one > day we'll have to make HMAC-SHA1 support only optional but it is clearly > too soon. > > Regards > > Francis.Dupont@fdupont.fr =================================== Scott Rose NIST scottr@nist.gov ph: +1 301-975-8439 http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ =================================== -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 8 06:18:07 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 123C63A7098; Fri, 8 May 2009 06:18:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.569 X-Spam-Level: X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XdlrZCuwJdze; Fri, 8 May 2009 06:18:06 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 248E33A6CE4; Fri, 8 May 2009 06:18:06 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2PvD-00028a-1v for namedroppers-data0@psg.com; Fri, 08 May 2009 13:15:27 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2Pv0-00027O-9R for namedroppers@ops.ietf.org; Fri, 08 May 2009 13:15:20 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n48DF7XK011755; Fri, 8 May 2009 15:15:08 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905081315.n48DF7XK011755@givry.fdupont.fr> From: Francis Dupont To: "Jeffrey A. Williams" cc: Scott Rose , namedroppers@ops.ietf.org Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-02.txt In-reply-to: Your message of Thu, 07 May 2009 14:18:49 PDT. <4A035039.91F6CA53@ix.netcom.com> Date: Fri, 08 May 2009 15:15:07 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: HMAC -SHA1 also should be discontinued for Govt. use ASAP. => as I am not an US citizen I don't comment (:-). It appears that there have been some succesful breakage here as well. => I am interested by a reference to a serious scientific paper about this point. Key lengths of 512k or larger may still be safe for use however. => as far as I know a key larger than the block size doesn't bring more security to HMAC. Francis.Dupont@fdupont.fr PS: if there are some cryptographers in the room, I look for a short and readable (for standard human beings) explanation about the reasons why a key smaller than the half of the digest size (i.e., 80 for SHA-1, 128 for SHA-256) is not good, and a key larger than the digest size does not bring more (i.e., with a digest size S, the acceptable range should be [S/2, infinity) and default S for the key size). -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From kade@ama-assn.org Fri May 8 07:16:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF3AC3A6C78 for ; Fri, 8 May 2009 07:16:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.199 X-Spam-Level: X-Spam-Status: No, score=-3.199 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oihhcK6LrKZI for ; Fri, 8 May 2009 07:16:27 -0700 (PDT) Received: from dslb-084-056-032-020.pools.arcor-ip.net (dslb-084-056-032-020.pools.arcor-ip.net [84.56.32.20]) by core3.amsl.com (Postfix) with SMTP id BF24A3A684C for ; Fri, 8 May 2009 07:16:26 -0700 (PDT) To: " Date: Fri, 8 May 2009 07:16:26 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Fri May 8 07:36:40 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1DAC13A6C78; Fri, 8 May 2009 07:36:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.448 X-Spam-Level: X-Spam-Status: No, score=-102.448 tagged_above=-999 required=5 tests=[AWL=0.152, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbSOSwdEzv7e; Fri, 8 May 2009 07:36:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 34B993A7171; Fri, 8 May 2009 07:35:59 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2R72-0007ZB-0t for namedroppers-data0@psg.com; Fri, 08 May 2009 14:31:44 +0000 Received: from [2001:1890:1112:1::20] (helo=mail.ietf.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2R6p-0007Y6-9J for namedroppers@ops.ietf.org; Fri, 08 May 2009 14:31:37 +0000 Received: by core3.amsl.com (Postfix, from userid 0) id 5BBB83A6C38; Fri, 8 May 2009 07:30:00 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Cc: namedroppers@ops.ietf.org Subject: [dnsext] I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-03.txt Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090508143001.5BBB83A6C38@core3.amsl.com> Date: Fri, 8 May 2009 07:30:01 -0700 (PDT) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DNS Extensions Working Group of the IETF. Title : Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records Author(s) : F. Dupont Filename : draft-ietf-dnsext-tsig-md5-deprecated-03.txt Pages : 6 Date : 2009-05-08 The main purpose of this document is to deprecate the use of HMAC-MD5 as an algorithm for the TSIG (secret key transaction authentication) resource record in the DNS (domain name system), and the use of MD5 in TKEY (secret key establishment for DNS). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnsext-tsig-md5-deprecated-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-dnsext-tsig-md5-deprecated-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-05-08071908.I-D@ietf.org> --NextPart-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 8 07:49:42 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FD6B3A6D9C; Fri, 8 May 2009 07:49:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.574 X-Spam-Level: X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zJKqkW4eHt8; Fri, 8 May 2009 07:49:41 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9EAC53A6B16; Fri, 8 May 2009 07:49:41 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2RLP-0008js-C1 for namedroppers-data0@psg.com; Fri, 08 May 2009 14:46:35 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2RKs-0008hU-W3 for namedroppers@ops.ietf.org; Fri, 08 May 2009 14:46:18 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n48Ek1Jm012361; Fri, 8 May 2009 16:46:01 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905081446.n48Ek1Jm012361@givry.fdupont.fr> From: Francis Dupont To: dnsext-chairs@tools.ietf.org Cc: namedroppers@ops.ietf.org Subject: [dnsext] new version of tsig-md5-deprecated I-D available MIME-Version: 1.0 Content-Type: message/rfc822 Content-ID: <12359.1241793959.1@givry.fdupont.fr> Content-Description: forwarded message Date: Fri, 08 May 2009 16:46:01 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Return-Path: i-d-announce-bounces@ietf.org Delivery-Date: Fri May 8 16:32:32 2009 Return-Path: Received: from mail.ietf.org (mail.ietf.org [IPv6:2001:1890:1112:1::20]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n48EWVuO012289 for ; Fri, 8 May 2009 16:32:31 +0200 (CEST) (envelope-from i-d-announce-bounces@ietf.org) Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59AEC3A7134; Fri, 8 May 2009 07:30:03 -0700 (PDT) X-Original-To: i-d-announce@ietf.org Delivered-To: i-d-announce@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 5BBB83A6C38; Fri, 8 May 2009 07:30:00 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D Action:draft-ietf-dnsext-tsig-md5-deprecated-03.txt Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090508143001.5BBB83A6C38@core3.amsl.com> Date: Fri, 8 May 2009 07:30:01 -0700 (PDT) Cc: namedroppers@ops.ietf.org X-BeenThere: i-d-announce@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: internet-drafts@ietf.org List-Id: Internet Draft Announcements only List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: i-d-announce-bounces@ietf.org Errors-To: i-d-announce-bounces@ietf.org --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DNS Extensions Working Group of the IETF. Title : Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records Author(s) : F. Dupont Filename : draft-ietf-dnsext-tsig-md5-deprecated-03.txt Pages : 6 Date : 2009-05-08 The main purpose of this document is to deprecate the use of HMAC-MD5 as an algorithm for the TSIG (secret key transaction authentication) resource record in the DNS (domain name system), and the use of MD5 in TKEY (secret key establishment for DNS). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnsext-tsig-md5-deprecated-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-dnsext-tsig-md5-deprecated-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-05-08071908.I-D@ietf.org> --NextPart Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt --NextPart-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 8 07:59:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 473F428C1E6; Fri, 8 May 2009 07:59:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.137 X-Spam-Level: X-Spam-Status: No, score=-1.137 tagged_above=-999 required=5 tests=[AWL=-0.942, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iY1+ggdU1b3i; Fri, 8 May 2009 07:59:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 63A3A3A7098; Fri, 8 May 2009 07:59:38 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2RS6-0009IA-7E for namedroppers-data0@psg.com; Fri, 08 May 2009 14:53:30 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2RRs-0009Gx-3Y for namedroppers@ops.ietf.org; Fri, 08 May 2009 14:53:23 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n48ErDH3055593 for ; Fri, 8 May 2009 10:53:14 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905081453.n48ErDH3055593@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 08 May 2009 10:53:13 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: [dnsext] WGLC TSIG MD5 Deprecated Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: This note starts a Working Group Last Call for this Standards Track document ending on midnight May 24'th UTZ 2009. URL for the document and its history: http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-tsig-md5-deprecated/ This document is on the Standards Track, The document updates standards track documents and redefines an IANA registry. Please read the document carefully, and send your comments to the mailing list. The document process rules in this working group, require that at least 5 members of the working to state that they have reviewed the document and there is consensus of support to publish it as a Standards Track RFC. Olafur (for the chairs) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From jcwczesniak@ahnac.com Fri May 8 09:50:27 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B5A573A6A34 for ; Fri, 8 May 2009 09:50:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.282 X-Spam-Level: X-Spam-Status: No, score=-2.282 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, TVD_RCVD_IP=1.931, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJbT0FFMZlZ7 for ; Fri, 8 May 2009 09:50:26 -0700 (PDT) Received: from 81-186-224-2.cityconnect.pl (81-186-224-2.cityconnect.pl [81.186.224.2]) by core3.amsl.com (Postfix) with SMTP id 3342E3A68EA for ; Fri, 8 May 2009 09:50:24 -0700 (PDT) To: " Date: Fri, 8 May 2009 09:50:24 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Fri May 8 11:21:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7ADD73A6EDE; Fri, 8 May 2009 11:21:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.006 X-Spam-Level: X-Spam-Status: No, score=-0.006 tagged_above=-999 required=5 tests=[AWL=-1.276, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nmqqk9cD6jn0; Fri, 8 May 2009 11:21:35 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 704D23A68EE; Fri, 8 May 2009 11:21:31 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2Uat-000OON-7s for namedroppers-data0@psg.com; Fri, 08 May 2009 18:14:47 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2UaX-000OMw-Q7 for namedroppers@ops.ietf.org; Fri, 08 May 2009 18:14:31 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 878832FE9574 for ; Fri, 8 May 2009 18:14:24 +0000 (UTC) Date: Fri, 8 May 2009 14:14:22 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090508181422.GH2372@shinkuro.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Dear colleagues, Your Chairs have been observing the discussion around adoption of various drafts for techniques to mitigate forgeries and cache poisoning. It appears to us that the WG is not converging on consensus. We currently have a request open to adopt EDNS0 ping. The discussion of adopting the document appeared to expose a fault in the community, where some expressed strong opposition to undertaking any further forgery resilience work when DNSSEC is already available, while others argued that DNSSEC is not getting deployed and therefore we need other urgent action. Meanwhile, some other mechanisms, including "0x20" and those outlined in draft-wijngaards-dnsext-resolver-side-mitigation-01.txt seem to be showing up in various implementations. We think it would be better if we came to some more or less shared agreement on what to do in this space (including nothing). The portion of the meeting we had in Dublin that was dedicated to this topic seems not to have inspired consensus. Therefore, we would like to present five options for consideration: 1. Do nothing, and take all energy that might be devoted to this effort and direct it towards DNSSEC deployment. 2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and include in it recommendations to do nothing else except what that document contains. Remove from section 3 any strategies we do not want to adopt. (Note that this latter condition entails decisions about the next two options.) 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps this gets included in that document, or perhaps it proceeds as part of a set of documents. Let's leave the editorial process issues out of the discussion, and just focus on whether we want to include this strategy in the tool box. 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this might be included as part of (2) or processed individually, but that doesn't matter. 5. Officially adopt nothing, but support (2) and (3) going ahead as individual submissions on the Informational track. (2) would obviously need to be modified slightly to keep out any protocol items that might be entailed. The reason (4) can't just go ahead on the individual track is that the assignment of an EDNS0 code point requires standards action, so the work would come back here anyway. We will plan to request a meeting session in Stockholm to discuss this issue (and possibly some other topics before us). If the WG can come to a clear consensus on-list before then (and we have no other business), then obviously we will be in a position to cancel the Stockholm session. If we have not come to a conclusion by 20 May, we will keep the session scheduled. In the absence of strong arguments in favour of action and at least an apparently broad constituency to do the work within the WG, the Chairs are inclined to take option (1), because the WG is supposed to be sleeping. This is by no means to say that we are prejudiced in favour of that option. It is rather to say that we are procedurally bound, by our charter, to a default of "No" for at least some of these documents. Adding a new standards-track item to the WG work requires rechartering, please note, and given one other request we have open we may therefore need to recharter anyway. Best regards, Olafur and Andrew -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From natrium.pickeli@ampel.mailnet.dyndns.biz Fri May 8 12:25:31 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0FB43A6D2F for ; Fri, 8 May 2009 12:25:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -13.346 X-Spam-Level: X-Spam-Status: No, score=-13.346 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, HELO_EQ_DSL=1.129, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtsSSRTAP9ea for ; Fri, 8 May 2009 12:25:29 -0700 (PDT) Received: from aus134.neoplus.adsl.tpnet.pl (auu231.neoplus.adsl.tpnet.pl [83.27.28.231]) by core3.amsl.com (Postfix) with SMTP id 206FE28C17F for ; Fri, 8 May 2009 12:25:19 -0700 (PDT) To: " Date: Fri, 8 May 2009 12:25:19 -0700 (PDT)

Read more
Copyright
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Fri May 8 14:33:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F5443A6FEC; Fri, 8 May 2009 14:33:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.906 X-Spam-Level: X-Spam-Status: No, score=-4.906 tagged_above=-999 required=5 tests=[AWL=-0.728, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dnd6EWifOLJu; Fri, 8 May 2009 14:33:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DB2773A6CE1; Fri, 8 May 2009 14:32:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2Xat-000Cvd-Ll for namedroppers-data0@psg.com; Fri, 08 May 2009 21:26:59 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2Xah-000Cut-Gz for namedroppers@ops.ietf.org; Fri, 08 May 2009 21:26:53 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n48LQkgk017269; Fri, 8 May 2009 14:26:46 -0700 (PDT) Cc: Nicholas Weaver , namedroppers@ops.ietf.org Message-Id: <52E1D5B7-35B9-4EDD-90B8-B6658645DFF3@icsi.berkeley.edu> From: Nicholas Weaver To: Andrew Sullivan In-Reply-To: <20090508181422.GH2372@shinkuro.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Fri, 8 May 2009 14:26:45 -0700 References: <20090508181422.GH2372@shinkuro.com> X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 8, 2009, at 11:14 AM, Andrew Sullivan wrote: > We think it would be better if we came to some more or less shared > agreement on what to do in this space (including nothing). The > portion of the meeting we had in Dublin that was dedicated to this > topic seems not to have inspired consensus. Therefore, we would like > to present five options for consideration: > > 1. Do nothing, and take all energy that might be devoted to this > effort and direct it towards DNSSEC deployment. > > 2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and > include in it recommendations to do nothing else except what that > document contains. Remove from section 3 any strategies we do not > want to adopt. (Note that this latter condition entails decisions > about the next two options.) I'd argue against one, simply because in 2 there are some really key ideas, especially in section 3.2 and 3.3. Notably, 3.2 and 3.3 (or variant approaches) eliminate the race-until- win nature of out-of-path attacks, which increase attacker complexity in time rather than packets. They also only directly affect resolvers from a protocol viewpoint (all the additional queries are within specification), and the only open questions are those of load on authorities and the additional queries from resolvers. Preliminary evaluations I did on a slightly different way of phrasing 3.3 suggested that the load magnification was tolerable, and if desired, I could investigate doing a more comprehensive analysis of the increased load on various portions of the resolution chain. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 9 06:40:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 093233A6825; Sat, 9 May 2009 06:40:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.831 X-Spam-Level: X-Spam-Status: No, score=0.831 tagged_above=-999 required=5 tests=[AWL=-0.196, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3F87lX2JVb1; Sat, 9 May 2009 06:40:08 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BF6CA3A6E06; Sat, 9 May 2009 06:40:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2mgZ-000DTL-H6 for namedroppers-data0@psg.com; Sat, 09 May 2009 13:33:51 +0000 Received: from [209.85.220.169] (helo=mail-fx0-f169.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M2mgN-000DSL-Me for namedroppers@ops.ietf.org; Sat, 09 May 2009 13:33:45 +0000 Received: by fxm17 with SMTP id 17so2078177fxm.41 for ; Sat, 09 May 2009 06:33:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.113.9 with SMTP id y9mr2773946fap.19.1241876017826; Sat, 09 May 2009 06:33:37 -0700 (PDT) In-Reply-To: <200905081453.n48ErDH3055593@stora.ogud.com> References: <200905081453.n48ErDH3055593@stora.ogud.com> Date: Sat, 9 May 2009 15:33:37 +0200 Message-ID: Subject: Re: [dnsext] WGLC TSIG MD5 Deprecated From: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= To: "namedroppers@ops.ietf.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Just a small nitpick: I would prefer using [TBD] instead of [] in section 4, so the document is more clear when you read it for the first time. But it's absolutely not mandatory and I have read the document, and I do support publishing. Ondrej. 2009/5/8 =C3=93lafur Gu=C3=B0mundsson : > > This note starts a Working Group Last Call for this Standards Track docum= ent > ending on midnight May 24'th UTZ 2009. > > URL for the document and its history: > http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-tsig-md5-deprecated/ > > This document is on the Standards Track, =C2=A0The document updates stand= ards > track > documents and redefines an IANA registry. > > Please read the document carefully, and send your comments to the mailing > list. > > The document process rules in this working group, require that at least > 5 members of the working to state that they have reviewed the document > and there is consensus of support to publish it as a Standards Track RFC. > > =C2=A0 =C2=A0 =C2=A0 =C2=A0Olafur (for the chairs) > > > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: > --=20 Ondrej Sury technicky reditel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americka 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 ----------------------------------------- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From john.vanmeenen@skynet.be Sun May 10 05:56:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADDDD3A6AF7; Sun, 10 May 2009 05:56:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -21.698 X-Spam-Level: X-Spam-Status: No, score=-21.698 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, J_CHICKENPOX_42=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGd4AbcQYbxM; Sun, 10 May 2009 05:56:09 -0700 (PDT) Received: from c-68-32-158-166.hsd1.nj.comcast.net (c-68-32-158-166.hsd1.nj.comcast.net [68.32.158.166]) by core3.amsl.com (Postfix) with SMTP id A51F13A6E2E; Sun, 10 May 2009 05:55:45 -0700 (PDT) From: "Lessie Clayton" TO: <"aaa-archive@lists.ietf.org, atommib-archive@lists.ietf.org, capwap-archive@lists.ietf.org, dnsext-archive@lists.ietf.org, idn-archive@lists.ietf.org, iporpr-archive"@lists.ietf.org> Subject: Take a look at the latest rep watches Date: Sun, 10 May 2009 08:57:15 -0500 Message-ID: <20871dxrx277OFUKVaaa-archive@lists.ietf.org> Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Have you been dreaming about owning an expensive designer watch? Now you can, just without the high price tag! http://spijofe.cn Take advantage of Diam0nd Reps tremendous specials, and get yourself a superb designer watch imitation for just a couple of hundred bucks. Plus an extra 15 percent discount when you get two time pieces in the same purchase! http://spijofe.cn Check out our extensive inventory and enjoy the fastest shipping available online! See you at Diam0nd Reps! From owner-namedroppers@ops.ietf.org Sun May 10 13:27:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0DCF3A6D37; Sun, 10 May 2009 13:27:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.382 X-Spam-Level: X-Spam-Status: No, score=-0.382 tagged_above=-999 required=5 tests=[AWL=-0.757, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nchpr3ynrk74; Sun, 10 May 2009 13:27:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E132B3A6BCF; Sun, 10 May 2009 13:27:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3FVB-00085V-16 for namedroppers-data0@psg.com; Sun, 10 May 2009 20:20:01 +0000 Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3FUx-00084h-VF for namedroppers@ops.ietf.org; Sun, 10 May 2009 20:19:54 +0000 Received: by ewy4 with SMTP id 4so3187091ewy.41 for ; Sun, 10 May 2009 13:19:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=R1Lr2hnOn4dLA69SkQGfqDh/zQFNy/aOPOEcM1MIbkY=; b=BAkdXk1DKQT+wXil+f0zOh14lSp5dfbex8HohxhVUwKObGsr7HEW0jE2laDz73B47G kOW41vmyvIlWJrc3G+Xv4C+98rPGGwIslINIJCwLmHifRPsb5XrcUg1gbbSSspkE88iX 8QIcx+i5+383Zy1nBJ9htm+TFgvnGPCCx/7zk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=rTYJsMhxztcC7cTOjxxSV6i1/unyrASVjl6XrZmkbRbMkc4FR8xuJIFga1sua+nA0U bH3HTZiKne0Xzgfe/iyMu6WFprhJmI/4WZlmVrdLelMlp4IacDBOOh2YrZbyiWpuFpBh hAUANm/U+h157dPTPZRETjGbiakLid8hkVjt0= MIME-Version: 1.0 Received: by 10.210.87.11 with SMTP id k11mr2435060ebb.7.1241986786145; Sun, 10 May 2009 13:19:46 -0700 (PDT) In-Reply-To: <20090508181422.GH2372@shinkuro.com> References: <20090508181422.GH2372@shinkuro.com> From: bert hubert Date: Sun, 10 May 2009 22:19:26 +0200 Message-ID: <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm To: Andrew Sullivan Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, May 8, 2009 at 8:14 PM, Andrew Sullivan wrote: > topic seems not to have inspired consensus. =A0Therefore, we would like > to present five options for consideration: > > 1. =A0Do nothing, and take all energy that might be devoted to this > effort and direct it towards DNSSEC deployment. This seems rather grand. Quite a number of people are interested in low hanging fruit kind of improvements versus the world of complexity known as DNSSEC. Not investing in EDNS0 and other measures will not necessarily mean a significant boost to DNSSEC work. Furthermore, as is well known (although sometimes denied) DNSSEC remains just as vulnerable to spoofing at the delegation point as normal DNS. The difference is that with DNSSEC, spoofing at that level only leads to prolonged downtime. In other words, DNSSEC benefits from EDNS0 in a significant way. In reality, however much people feel progress is being made, DNSSEC is still years and years, if not a decade, away. If this WG declares consensus on 'doing nothing', it may prove prudent as has been noted earlier, to proceed work elsewhere. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From oneibrown@verizon.net Sun May 10 21:20:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5B933A6C3C; Sun, 10 May 2009 21:20:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.64 X-Spam-Level: X-Spam-Status: No, score=-16.64 tagged_above=-999 required=5 tests=[BAYES_99=3.5, HELO_DYNAMIC_HCC=4.295, HELO_EQ_MINDSPRING=0.45, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MINDSPRING=2.2, HOST_EQ_MODEMCABLE=1.368, J_CHICKENPOX_42=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_SPEC_ROLEX_NOV5A=1.062, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFaGJWvrRmOJ; Sun, 10 May 2009 21:20:22 -0700 (PDT) Received: from user-160ud63.cable.mindspring.com (user-160ud63.cable.mindspring.com [76.15.52.195]) by core3.amsl.com (Postfix) with SMTP id D8B733A6A1A; Sun, 10 May 2009 21:20:20 -0700 (PDT) From: "Nicholas Bradshaw" TO: <"aaa-archive@lists.ietf.org, atommib-archive@lists.ietf.org, capwap-archive@lists.ietf.org, dnsext-archive@lists.ietf.org, idn-archive"@lists.ietf.org> Subject: You can save 80% on Gucci Date: Mon, 11 May 2009 00:21:52 -0500 Message-ID: <53127rffx296RKASZaaa-archive@lists.ietf.org> Content-Type: text/plain; Content-Transfer-Encoding: 7Bit What's the fastest way to a lover's heart? A beautiful and stylish designer watch! http://fdjsooi.cn Take advantage of Diam0nd Reps tremendous specials, and get yourself a superb designer watch imitation for just a couple of hundred bucks. Plus an extra 15 percent discount when you get two time pieces in the same purchase! http://fdjsooi.cn Enjoy the fastest shipping around, paired with secure billing, incredible customer service and the largest online selection of fine reproduction timepieces only at Diam0nd Reps, of course! From owner-namedroppers@ops.ietf.org Mon May 11 00:54:40 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D382028B23E; Mon, 11 May 2009 00:54:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.165 X-Spam-Level: X-Spam-Status: No, score=-102.165 tagged_above=-999 required=5 tests=[AWL=-0.435, BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id denfAy6PSoFM; Mon, 11 May 2009 00:54:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BBCB628C0DF; Mon, 11 May 2009 00:54:37 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3QEi-000O2R-It for namedroppers-data0@psg.com; Mon, 11 May 2009 07:47:44 +0000 Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3QEL-000O0i-Q7 for namedroppers@ops.ietf.org; Mon, 11 May 2009 07:47:37 +0000 Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n4B7lEs7098288 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 May 2009 09:47:17 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl) Message-ID: <4A07D802.9050400@nlnetlabs.nl> Date: Mon, 11 May 2009 09:47:14 +0200 From: "W.C.A. Wijngaards" User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: bert hubert CC: Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> In-Reply-To: <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Mon, 11 May 2009 09:47:17 +0200 (CEST) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bert, bert hubert wrote: > Furthermore, as is well known (although sometimes denied) DNSSEC > remains just as vulnerable to spoofing at the delegation point as > normal DNS. The difference is that with DNSSEC, spoofing at that level > only leads to prolonged downtime. I am sorry, but spoofing at the delegation level does not lead to prolonged downtime with DNSSEC. Validators usually wait a short while before the bogus data is flushed out of the cache, but this is not 'prolonged'. Can you give details on this denial-of-service? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoH2AIACgkQkDLqNwOhpPggUACgo6vNXQ3xuuhIZOjWEV2koRsF OrUAoJL43q2BJqOeV3xEk00s1UpzoqDe =JR8u -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 01:19:12 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A3493A6CD8; Mon, 11 May 2009 01:19:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.624 X-Spam-Level: X-Spam-Status: No, score=0.624 tagged_above=-999 required=5 tests=[AWL=-1.610, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hP-+7hmkqRSD; Mon, 11 May 2009 01:19:11 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5619B3A67F0; Mon, 11 May 2009 01:19:11 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3QfQ-0000Af-06 for namedroppers-data0@psg.com; Mon, 11 May 2009 08:15:20 +0000 Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Qez-00007u-7K for namedroppers@ops.ietf.org; Mon, 11 May 2009 08:15:04 +0000 Received: by ewy4 with SMTP id 4so3401753ewy.41 for ; Mon, 11 May 2009 01:14:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=W98n4EsJIy8x/cK3uw6YSZLP8tdLOE6PxTZfdSjKR90=; b=Jok+eN6uiBEXqaSjIxC5mUkFdWfSVvH4TlxDDL3J4Tbt8o3DfMn8ii3cvwHQBYI5rF vwZmewsoQH1exgl+lsYBU8viVKlIlqVtTakvfOWIJVZa2DjA6x5UVvwrjWBNtt+rxPiF VRlplujDSShbkwA0X3b+fZvj2jy6xgFISjDdk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=ev9lldrZAe/B61VdT1AjyRSJ8ERbXx3SX7gRGNKxwGqA/u+KWf5KJKFTQpdNj0YxhM iqKGqjZSDMyYGwznxemi7FaRpHEYCAGHJGG39f5ps3U6SbBHirQ8vQA4Sen1ARA7Yh4W pH/ddh+VJdQhvEHVBh2yJjb6Fg+jv+fSEL+vg= MIME-Version: 1.0 Received: by 10.210.13.17 with SMTP id 17mr4425651ebm.64.1242029690092; Mon, 11 May 2009 01:14:50 -0700 (PDT) In-Reply-To: <4A07D802.9050400@nlnetlabs.nl> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> From: bert hubert Date: Mon, 11 May 2009 10:14:30 +0200 Message-ID: <3efd34cc0905110114n29d156f3i93fcc1fb27e32b1b@mail.gmail.com> Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm To: "W.C.A. Wijngaards" Cc: Andrew Sullivan , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 11, 2009 at 9:47 AM, W.C.A. Wijngaards wr= ote: > bert hubert wrote: > If you want to talk about it, that is fine. I indeed think that DNSSEC won't ever be meaningfully deployed (auth, caches and stubs), and I think everybody here is wasting his time and his organization's money continuing the myth that DNSSEC will solve any real problem. But I have no position on whether one should want the existence of DNSSEC or not. Verging over the edge of what should be discussed here, but I do want to make it clear, I've been informed there are rumors I have a financial incentive to derail DNSSEC I am told that this is so because it would lose me business. This is as far from the truth as can be. In fact, if anybody really wanted DNSSEC in PowerDNS, I would have built it a long time ago. In fact, if someone wants to sponsor this work, I'll do it gladly. Sadly no one has stepped up, although sponsors have stepped up to sponsor other features the industry is waiting for. So everybody please believe me I am arguing for other security measures simply because I think DNSSEC won't be deployed on any real scale to make a difference. > I am sorry, but spoofing at the delegation level does not lead to > prolonged downtime with DNSSEC. =A0Validators usually wait a short while > before the bogus data is flushed out of the cache, but this is not > 'prolonged'. =A0Can you give details on this denial-of-service? Take for example the DNSSEC signed .se zone, which provides excellent security for www.dnssec.de: dnssec.se. 86400 IN NS secondary.se. dnssec.se. 86400 IN NS ns.dnssec.se. dnssec.se. 86400 IN NS primary.se. dnssec.se. 3600 IN DS 2467 5 2 94DC01F2763CCB12F4B66AC63910830BC34082F6FE95CD75DAA3C5B3 7F99DD81 dnssec.se. 3600 IN DS 2467 5 1 B318215EB224C094B638605C96ABAA6DF372CEFD dnssec.se. 3600 IN RRSIG DS 5 2 3600 20090516111828 20090510001806 48006 se. ZaLF6Rp2eDx1e39jeblBqNRiW5x08wuouTsptk/ztoEFyGmFzGU3SYtd kyPjcni0X1N4MA5VWSZd4Zauzm6n+o5MwNyKRXezO+dpSTxjFW47Of7w 8hdqagGuFSwfsxTOvb1UyPKIjw4N5LijPWLfGdJpTXZjvu12sTcktdPt 8zE=3D Or does it? The RRSIG covers only the DS records. I can easily (well...) spoof the NS records at the delegation point and make them point to any address of my choosing - leading to prolonged downtime. No cryptography is involved, no bogus data. Even more interesting, the DNSSEC signed .se zone does truly provide excellent protection for domains that don't exist: ;www.dnssec-is-easy.se. IN A ;; AUTHORITY SECTION: se. 7200 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2009051103 1800 1800 2419200 7200 se. 7200 IN RRSIG SOA 5 1 172800 20090516201933 20090511061306 48006 se. fCZuLwyfJrP+uGLlvRHeQjxI9VJwMTRi3xLWQCpfihcAtLkEVx6yolV1 se. 7200 IN NSEC 0-0.se. NS SOA TXT RRSIG NSEC DNSKEY se. 7200 IN RRSIG NSEC 5 1 7200 20090517090715 20090510201806 48006 se. ovDL7FOIBbMUaIWM8iH/UxTqWnnzMLSTg5Nvv/6+q2lqBgXGK3bAgOjj dnssec-gotlandica.se. 7200 IN NSEC dnssectest.se. NS DS RRSIG = NSEC dnssec-gotlandica.se. 7200 IN RRSIG NSEC 5 2 7200 20090516015224 20090509201806 48006 se. lY1t0wKdsaVyqqhXRflVeyh+P+SY2ZNdd8lXGgvvvCEMIz/36qPpdExO This is completely protected, and I can't do anything interesting here as an attacker. All .se's non-customers can feel secure! A query for any other kind of domain in the DNSSEC signed .se zone however is offered no protection at all: ;www.powerdns.se. IN A powerdns.se. 86400 IN NS ns2.powerdns.se. powerdns.se. 86400 IN NS ns1.powerdns.se. powerdns.se. 7200 IN NSEC powerdoc.se. NS RRSIG NSEC powerdns.se. 7200 IN RRSIG NSEC 5 2 7200 20090516052931 20090509161806 48006 se. BQkQS3FSDWE5+TOVhYXcAo2zHZ3d8i1AgpyFmnM4vkSjHrnUZLD8wbS/ So even though the .SE people have turned on DNSSEC, 99% of their domains have gained no protection at all. Protection they would have had if EDNS0 or another measure were available. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 02:20:23 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FDBA28C0FA; Mon, 11 May 2009 02:20:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.035 X-Spam-Level: ** X-Spam-Status: No, score=2.035 tagged_above=-999 required=5 tests=[AWL=-2.185, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LqHVNln-DZkP; Mon, 11 May 2009 02:20:16 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 37B0B3A67DD; Mon, 11 May 2009 02:20:16 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3RcM-0003um-Lp for namedroppers-data0@psg.com; Mon, 11 May 2009 09:16:14 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3RcA-0003u1-GW for namedroppers@ops.ietf.org; Mon, 11 May 2009 09:16:08 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1M3RRT-0001Hu-HM; Mon, 11 May 2009 11:04:59 +0200 Received: from fweimer by bfk.de with local id 1M3Rc1-0000yt-1y; Mon, 11 May 2009 11:15:53 +0200 To: "W.C.A. Wijngaards" Cc: bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> From: Florian Weimer Date: Mon, 11 May 2009 11:15:53 +0200 In-Reply-To: <4A07D802.9050400@nlnetlabs.nl> (W. C. A. Wijngaards's message of "Mon, 11 May 2009 09:47:14 +0200") Message-ID: <82fxfcq9ti.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * W. C. A. Wijngaards: > Hi Bert, > > bert hubert wrote: > >> Furthermore, as is well known (although sometimes denied) DNSSEC >> remains just as vulnerable to spoofing at the delegation point as >> normal DNS. The difference is that with DNSSEC, spoofing at that level >> only leads to prolonged downtime. > > I am sorry, but spoofing at the delegation level does not lead to > prolonged downtime with DNSSEC. Validators usually wait a short while > before the bogus data is flushed out of the cache, but this is not > 'prolonged'. Can you give details on this denial-of-service? The DNSSEC model assumes that data from the validator is not fed back into the recursor. In fact, this is impossible if the validator runs on the end system (along with the stub), and the upstream recursor has fewer trust anchors than the end system. It is possible to change the model (and I think that's inevitable if it's determined that we need DNSSEC soon), but I think that, officially, we still work under the assumptioon validator =3D=3D trusted, recursor =3D=3D untrusted. As an experiment with a valdiator/recursor combination in the same process (where feedback is theoretically possible), I've installed a trust anchor for www.bfk.de in Unbound 1.2.1 and BIND 9.6.0. www.bfk.de is in a zone which is not signed, so both recursors return SERVFAIL to queries for this name. BIND seems to climb up to the root from time to time, and queries all servers for bfk.de (but not for . or de). Unbound does not seem to perform additional upstream transactions, even after waiting a few minutes between queries. Of course, this has to be taken with a grain of salt because usually, a signed delegation will be involved (which is more difficult to test for me). I'm not sure which is better. Aggressive querying further up the tree might give you correct data, but increases DNS load globally (especially if you publish bad data and the whole world starts agressive probing). It is also very difficult to implement in a way that actually offers protection against attackers who can bypass channel security, but have not full control over your communications. On the other hand, not sending further queries means you rely on channel security. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 02:29:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D8E33A6F33; Mon, 11 May 2009 02:29:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.73 X-Spam-Level: X-Spam-Status: No, score=-101.73 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS14OAfj-jmz; Mon, 11 May 2009 02:29:08 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B036228C10A; Mon, 11 May 2009 02:29:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Rmg-0004Yx-Td for namedroppers-data0@psg.com; Mon, 11 May 2009 09:26:54 +0000 Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3RmT-0004YD-9E for namedroppers@ops.ietf.org; Mon, 11 May 2009 09:26:48 +0000 Received: from [IPv6:2001:7b8:206:1:215:afff:fed2:e121] ([IPv6:2001:7b8:206:1:215:afff:fed2:e121]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n4B9QTbQ006867 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 May 2009 11:26:38 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl) Message-ID: <4A07EF45.5030701@nlnetlabs.nl> Date: Mon, 11 May 2009 11:26:29 +0200 From: Matthijs Mekking Organization: NLnet Labs User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: bert hubert CC: "W.C.A. Wijngaards" , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <3efd34cc0905110114n29d156f3i93fcc1fb27e32b1b@mail.gmail.com> In-Reply-To: <3efd34cc0905110114n29d156f3i93fcc1fb27e32b1b@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Mon, 11 May 2009 11:26:38 +0200 (CEST) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bert, Quote: > Or does it? The RRSIG covers only the DS records. I can easily > (well...) spoof the NS records at the delegation point and make them > point to any address of my choosing - leading to prolonged downtime. > No cryptography is involved, no bogus data. Yes, you can still spoof the NS record. But if at the malicious server no DNSKEY is found that: 1) matches the DS. 2) is properly signed. , the data served from that server is handled as if it was bogus. Like it should. So in order to successful spoof the delegation, you need to have the private key of the child zone. > Even more interesting, the DNSSEC signed .se zone does truly provide > excellent protection for domains that don't exist: > ;www.dnssec-is-easy.se. IN A > > ;; AUTHORITY SECTION: > se. 7200 IN SOA > catcher-in-the-rye.nic.se. registry-default.nic.se. 2009051103 1800 > 1800 2419200 7200 > se. 7200 IN RRSIG SOA 5 1 172800 > 20090516201933 20090511061306 48006 se. > fCZuLwyfJrP+uGLlvRHeQjxI9VJwMTRi3xLWQCpfihcAtLkEVx6yolV1 > se. 7200 IN NSEC 0-0.se. NS SOA TXT > RRSIG NSEC DNSKEY > se. 7200 IN RRSIG NSEC 5 1 7200 > 20090517090715 20090510201806 48006 se. > ovDL7FOIBbMUaIWM8iH/UxTqWnnzMLSTg5Nvv/6+q2lqBgXGK3bAgOjj > dnssec-gotlandica.se. 7200 IN NSEC dnssectest.se. NS DS RRSIG NSEC > dnssec-gotlandica.se. 7200 IN RRSIG NSEC 5 2 7200 > 20090516015224 20090509201806 48006 se. > lY1t0wKdsaVyqqhXRflVeyh+P+SY2ZNdd8lXGgvvvCEMIz/36qPpdExO > > This is completely protected, and I can't do anything interesting here > as an attacker. All .se's non-customers can feel secure! > > A query for any other kind of domain in the DNSSEC signed .se zone > however is offered no protection at all: > ;www.powerdns.se. IN A > powerdns.se. 86400 IN NS ns2.powerdns.se. > powerdns.se. 86400 IN NS ns1.powerdns.se. > powerdns.se. 7200 IN NSEC powerdoc.se. NS RRSIG NSEC > powerdns.se. 7200 IN RRSIG NSEC 5 2 7200 > 20090516052931 20090509161806 48006 se. > BQkQS3FSDWE5+TOVhYXcAo2zHZ3d8i1AgpyFmnM4vkSjHrnUZLD8wbS/ > > So even though the .SE people have turned on DNSSEC, 99% of their > domains have gained no protection at all. They have secured the domain names they are owner of. For TLDs, 99% of the time they are not authoritative for their data: they mainly have delegations. Because .se don't own the zone powerdns.se., they don't own the zone data, .se is in no position to secure the powerdns.se. zone. If it is important for powerdns.se. to secure their zone data, they should turn on DNSSEC as well. Luckily, .se provided that possibility for them! Best regards, Matthijs Mekking NLnet Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJKB+9BAAoJEA8yVCPsQCW5GqAIALDtsukl5BWpDm165LXo/wK3 AqG8FCCnloswZQC9nCY0wFZHT7+69HaGncUmCWiuzThVZNFep3XkYqggjCoVOnOZ OBaOIpC4gU6EyD1m6F4AIhCG+z5yUfaVNpNAyn4vCPsF3GoeIlsjDLBI95B6Rmhr 40M6+/1SPlUjH+JPwaHKJPdLXSRUKQ/cQ0EyNAN0+nIzXWl0kzDjuT6xtKxfxZng bplvpfdaR8wyfVeFccw5GHFcNZzBhqN+d5N02T8tIjSQuk80FZC55ifMFKL0lt/O GOLySwdsshQCIWhtNEeH3bGwuAr6QRZa8TFaKqVHt8rAt6WOQJ574KxKbsqQ/yA= =G6ye -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 02:39:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 056143A6BB6; Mon, 11 May 2009 02:39:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.46 X-Spam-Level: X-Spam-Status: No, score=0.46 tagged_above=-999 required=5 tests=[AWL=-1.155, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_LWSHORTT=1.24, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJvB+dgYYhTR; Mon, 11 May 2009 02:39:48 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 269A13A67DD; Mon, 11 May 2009 02:39:48 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Rwz-0005RM-Hx for namedroppers-data0@psg.com; Mon, 11 May 2009 09:37:33 +0000 Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Rwn-0005QD-Cg for namedroppers@ops.ietf.org; Mon, 11 May 2009 09:37:27 +0000 Received: by ewy4 with SMTP id 4so3441550ewy.41 for ; Mon, 11 May 2009 02:37:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=aYoMYyqVeFt+2KHt3amhBgZ3pOwN5inIDuLgHFp79w4=; b=QujT5p7XxuSleH1qz72L/2fmeUI8/ot2wYkpmdc4Vir3SJCNemCBYZ/YZxr/uAuM0V e/udb4MqyZAA9zRE5omvYtoZDPCSEcvucj1731ZplN2Ufk9fUJbodBUU2z9hGocJexz3 HWPnhd6ns7QCufJon6wAxLtMdxDlNVCwgM3DQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=uyvlrEW0gfu0wBp6RT7Qzqs/FQK5u0CFafHgUVdx9zTk4XyB8ZR6fE07Tp50okopLd 19eFy6Rx9ir/TLVkuZuwjK1VdQ258DYhzxZCZ9fGK3rkBaAR1f7Mvd/B1G0E+jtFwh6o 1RioxlW1x8L5E7BzGOGdJ/jboZ6gNQEkbvqPo= MIME-Version: 1.0 Received: by 10.210.87.11 with SMTP id k11mr3103867ebb.7.1242034640070; Mon, 11 May 2009 02:37:20 -0700 (PDT) In-Reply-To: <4A07EF45.5030701@nlnetlabs.nl> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <3efd34cc0905110114n29d156f3i93fcc1fb27e32b1b@mail.gmail.com> <4A07EF45.5030701@nlnetlabs.nl> From: bert hubert Date: Mon, 11 May 2009 11:37:00 +0200 Message-ID: <3efd34cc0905110237y494c93d2mf23609d2497c519e@mail.gmail.com> Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm To: Matthijs Mekking Cc: "W.C.A. Wijngaards" , Andrew Sullivan , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 11, 2009 at 11:26 AM, Matthijs Mekking wrote: >> Or does it? The RRSIG covers only the DS records. I can easily >> (well...) spoof the NS records at the delegation point and make them >> point to any address of my choosing - leading to prolonged downtime. >> No cryptography is involved, no bogus data. > > Yes, you can still spoof the NS record. But if at the malicious server Indeed, and this generates the downtime I mentioned. I am not talking about inserting unauthenticated content. See also what Florian said (with the aside he mentioned that he was talking about trust anchors and not DS). >> So even though the .SE people have turned on DNSSEC, 99% of their >> domains have gained no protection at all. (...) > Because .se don't own the zone powerdns.se., they don't own the zone > data, .se is in no position to secure the powerdns.se. zone. If it is Indeed - this is exactly my point, the design of DNSSEC precludes securing a delegation to an unsigned zone. And this puts it significantly apart form other approaches which confer 'automatic' protection, albeit a less potent form. And this is why I think we should now not steer away from EDNS0 or Wouter's work, or other ways to improve DNS security in the short term. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 02:51:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5ED6B3A6ABE; Mon, 11 May 2009 02:51:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.404 X-Spam-Level: X-Spam-Status: No, score=-3.404 tagged_above=-999 required=5 tests=[AWL=-1.638, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJLyltDHH9UM; Mon, 11 May 2009 02:51:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0EEE93A6C35; Mon, 11 May 2009 02:50:43 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3S7G-0006JD-Vd for namedroppers-data0@psg.com; Mon, 11 May 2009 09:48:10 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3S6u-0006HE-RG for namedroppers@ops.ietf.org; Mon, 11 May 2009 09:48:04 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4B9fngX031080; Mon, 11 May 2009 09:41:49 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4B9fnA8031079; Mon, 11 May 2009 09:41:49 GMT Date: Mon, 11 May 2009 09:41:49 +0000 From: bmanning@vacation.karoshi.com To: Florian Weimer Cc: "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090511094149.GD30624@vacation.karoshi.com.> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <82fxfcq9ti.fsf@mid.bfk.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <82fxfcq9ti.fsf@mid.bfk.de> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 11, 2009 at 11:15:53AM +0200, Florian Weimer wrote: > * W. C. A. Wijngaards: > > > Hi Bert, > > > > bert hubert wrote: > > > >> Furthermore, as is well known (although sometimes denied) DNSSEC > >> remains just as vulnerable to spoofing at the delegation point as > >> normal DNS. The difference is that with DNSSEC, spoofing at that level > >> only leads to prolonged downtime. > > > > I am sorry, but spoofing at the delegation level does not lead to > > prolonged downtime with DNSSEC. Validators usually wait a short while > > before the bogus data is flushed out of the cache, but this is not > > 'prolonged'. Can you give details on this denial-of-service? > > The DNSSEC model assumes that data from the validator is not fed back > into the recursor. In fact, this is impossible if the validator runs > on the end system (along with the stub), and the upstream recursor has > fewer trust anchors than the end system. It is possible to change the > model (and I think that's inevitable if it's determined that we need > DNSSEC soon), but I think that, officially, we still work under the > assumptioon validator == trusted, recursor == untrusted. not everyone agrees with or uses that particular model. > I'm not sure which is better. Aggressive querying further up the tree > might give you correct data, but increases DNS load globally > (especially if you publish bad data and the whole world starts > agressive probing). It is also very difficult to implement in a way > that actually offers protection against attackers who can bypass > channel security, but have not full control over your communications. > On the other hand, not sending further queries means you rely on > channel security. for a reasonable number of delegations, there is room and to spare for extra query load. More agressive querying is inevitable. As is better channel security. This is not a zero-sum game. Both will happen. > > -- > Florian Weimer > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstra_e 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99 > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 03:08:50 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3EC73A688C; Mon, 11 May 2009 03:08:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.273 X-Spam-Level: * X-Spam-Status: No, score=1.273 tagged_above=-999 required=5 tests=[AWL=-0.625, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXYgTmEjGFUG; Mon, 11 May 2009 03:08:49 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1FA183A67DD; Mon, 11 May 2009 03:08:49 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3SOJ-0007dV-0l for namedroppers-data0@psg.com; Mon, 11 May 2009 10:05:47 +0000 Received: from [209.85.218.164] (helo=mail-bw0-f164.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3SO5-0007bm-Jh for namedroppers@ops.ietf.org; Mon, 11 May 2009 10:05:40 +0000 Received: by bwz8 with SMTP id 8so2819267bwz.41 for ; Mon, 11 May 2009 03:05:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.126.145 with SMTP id c17mr3591745fas.16.1242036331854; Mon, 11 May 2009 03:05:31 -0700 (PDT) In-Reply-To: <3efd34cc0905110237y494c93d2mf23609d2497c519e@mail.gmail.com> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <3efd34cc0905110114n29d156f3i93fcc1fb27e32b1b@mail.gmail.com> <4A07EF45.5030701@nlnetlabs.nl> <3efd34cc0905110237y494c93d2mf23609d2497c519e@mail.gmail.com> Date: Mon, 11 May 2009 12:05:31 +0200 Message-ID: Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm From: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= To: bert hubert Cc: Matthijs Mekking , "W.C.A. Wijngaards" , Andrew Sullivan , namedroppers@ops.ietf.org Content-Type: multipart/alternative; boundary=001636c5a7365bd6940469a01edf Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --001636c5a7365bd6940469a01edf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On Mon, May 11, 2009 at 11:37 AM, bert hubert wrote: > On Mon, May 11, 2009 at 11:26 AM, Matthijs Mekking > wrote: > >> Or does it? The RRSIG covers only the DS records. I can easily > >> (well...) spoof the NS records at the delegation point and make them > >> point to any address of my choosing - leading to prolonged downtime. > >> No cryptography is involved, no bogus data. > > > > Yes, you can still spoof the NS record. But if at the malicious server > > Indeed, and this generates the downtime I mentioned. I am not talking > about inserting unauthenticated content. See also what Florian said > (with the aside he mentioned that he was talking about trust anchors > and not DS). I have heard this so many times that I am getting little bit tired. Yes, you can spoof NS records, but it is same in plain DNS and in DNSSEC zone. It doesn't create any prolonged downtime as compared to plain DNS. But the important thing is that you cannot get spoofed records from child zone. And that's the reason for DNSSEC. Ondrej -- Ondrej Sury technicky reditel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americka 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 ----------------------------------------- --001636c5a7365bd6940469a01edf Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, May 11, 2009 at 11:37 AM, bert hubert <bert.hubert@gmail.com> wrot= e:
On Mon, May 11, 2009 at 11:26 AM, Matthijs Mekking
<matthijs@nlnetlabs.nl> = wrote:
>> Or does it? The RRSIG covers only the DS records. I can easily
>> (well...) spoof the NS records at the delegation point and make th= em
>> point to any address of my choosing - leading to prolonged downtim= e.
>> No cryptography is involved, no bogus data.
>
> Yes, you can still spoof the NS record. But if at the malicious server=

Indeed, and this generates the downtime I mentioned. I am not talking=
about inserting unauthenticated content. See also what Florian said
(with the aside he mentioned that he was talking about trust anchors
and not DS).

I have heard this so many times that I am= getting little bit tired.

Yes, you can spoof NS records, but it is = same in plain DNS and in DNSSEC zone. It doesn't create any prolonged d= owntime as compared to plain DNS.
=C2=A0
But the important thing is that you cannot get spoofed records fr= om child zone. And that's the reason for DNSSEC.

Ondrej
--
Ondrej Sury
technicky reditel/Chief Technical Officer -----------------------------------------
CZ.NIC, z.s.p.o. =C2=A0-- = =C2=A0.cz domain registry
Americka 23,120 00 Praha 2,Czech Republic
= mailto:ondrej.sury@nic.cz =C2=A0= http://nic.cz/
sip:ondrej.sury@nic.cz tel= :+420.222745110
mob:+420.739013699 =C2=A0 =C2=A0 fax:+420.222745112
= -----------------------------------------


--001636c5a7365bd6940469a01edf-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 03:18:43 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F20E3A6960; Mon, 11 May 2009 03:18:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.73 X-Spam-Level: X-Spam-Status: No, score=-101.73 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwjZOsS+6Xxc; Mon, 11 May 2009 03:18:42 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 512103A6801; Mon, 11 May 2009 03:18:42 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3SYQ-0008OF-5Z for namedroppers-data0@psg.com; Mon, 11 May 2009 10:16:14 +0000 Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3SY2-0008Ml-8T for namedroppers@ops.ietf.org; Mon, 11 May 2009 10:15:59 +0000 Received: from [IPv6:2001:7b8:206:1:215:afff:fed2:e121] ([IPv6:2001:7b8:206:1:215:afff:fed2:e121]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n4BAFjB5011187 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 May 2009 12:15:47 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl) Message-ID: <4A07FAD1.1000509@nlnetlabs.nl> Date: Mon, 11 May 2009 12:15:45 +0200 From: Matthijs Mekking Organization: NLnet Labs User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: bert hubert CC: "W.C.A. Wijngaards" , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <3efd34cc0905110114n29d156f3i93fcc1fb27e32b1b@mail.gmail.com> <4A07EF45.5030701@nlnetlabs.nl> <3efd34cc0905110237y494c93d2mf23609d2497c519e@mail.gmail.com> In-Reply-To: <3efd34cc0905110237y494c93d2mf23609d2497c519e@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Mon, 11 May 2009 12:15:47 +0200 (CEST) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately, you cut away the advantages I stated. bert hubert wrote: > On Mon, May 11, 2009 at 11:26 AM, Matthijs Mekking > wrote: >>> Or does it? The RRSIG covers only the DS records. I can easily >>> (well...) spoof the NS records at the delegation point and make them >>> point to any address of my choosing - leading to prolonged downtime. >>> No cryptography is involved, no bogus data. >> Yes, you can still spoof the NS record. But if at the malicious server > > Indeed, and this generates the downtime I mentioned. I am not talking > about inserting unauthenticated content. See also what Florian said > (with the aside he mentioned that he was talking about trust anchors > and not DS). The downtime is still better than ending up in giving away information to the wrong guy, in my opinion. > >>> So even though the .SE people have turned on DNSSEC, 99% of their >>> domains have gained no protection at all. > (...) >> Because .se don't own the zone powerdns.se., they don't own the zone >> data, .se is in no position to secure the powerdns.se. zone. If it is > > Indeed - this is exactly my point, the design of DNSSEC precludes > securing a delegation to an unsigned zone. And this puts it > significantly apart form other approaches which confer 'automatic' > protection, albeit a less potent form. I haven't seen any 'automatic' protection solutions yet. Even with patching, it needs cooperation of many organizations in order to add the extra security. With DNSSEC, organizations have the opportunity to cryptographically secure their data. If the root and all TLDs are signed, it makes the process easier, although the organization has a workaround by using a public trust anchor repository. It would be nice that all resolvers also accept the security extension, without ignoring it. Guess you found at least one person that wants DNSSEC in PowerDNS ;-). > And this is why I think we should now not steer away from EDNS0 or > Wouter's work, or other ways to improve DNS security in the short > term. For clarification, my e-mail was not advocating that we should steer away from this work. Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJKB/q7AAoJEA8yVCPsQCW5Se0IAMelVy47K6yQ6fwBXV3UHSu2 MVrfX7hyujplUrTUWCWo3qsh1OvqdbNlL4DOhsm81as9G8pFgmTFxLF7P2jqsnIu 0q0wMLk2rbBXhP1YPL+xfcc9kiRdNWpP2/3h0C8Sh6Jm29N+1W6eFrQ4/xDS09fX k/xZlE5ZyC1u/9JmDK1QIw1rg7Bsh8WVc8CHoX2cgn6N87Grh95XhV0yaIv+ayM8 zQIeiP7v5cHG+qFFBBwcGEvIIETOhK32rMsWq2C4JqJY8MXRQ25wHI/MstlYd1Rp 0UuJuzG+hLUwy9zfQDuMlUHlPCTuSRV7bJaqbP+zs+fSMh38+BYOy8eT2ZjC2GE= =rDmL -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 03:38:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 457A73A6A3E; Mon, 11 May 2009 03:38:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.429 X-Spam-Level: X-Spam-Status: No, score=-2.429 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SgpTg+QsZiBA; Mon, 11 May 2009 03:38:31 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A02B03A69D2; Mon, 11 May 2009 03:38:31 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Sqc-0009iS-P7 for namedroppers-data0@psg.com; Mon, 11 May 2009 10:35:02 +0000 Received: from [213.248.199.24] (helo=mx4.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3SqO-0009gm-5o for namedroppers@ops.ietf.org; Mon, 11 May 2009 10:34:56 +0000 DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Cc: Subject:MIME-Version:X-Mailer:Message-ID:From:Date: X-MIMETrack:Content-Type; b=qUti9hBb9rX+IujGqOX4uLVxSkXyxNEUiymSfR7rXPq2/mDUqh7EBqPm AR/AU1hYa8SvUYudEWc6RyNED5HtmYiTOS2g3AOm+uknZbJluh4HvvIfn 6rq7uGnuNSafl6+; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=roy@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1242038088; x=1273574088; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Roy=20Arends"=20|Subject: =20Re:=20[dnsext]=20Forgery=20resilience=20and=20meeting =20in=20Stockholm|Date:=20Mon,=2011=20May=202009=2012:34: 01=20+0200|Message-ID:=20|To:=20bert=20h ubert=20|Cc:=20Andrew=20Sullivan =20,=0D=0A=09namedroppers@ops.ietf.org |MIME-Version:=201.0|In-Reply-To:=20<3efd34cc0905101319q6 04ec98ayb418a8f1f9d4889@mail.gmail.com>|References:=20<20 090508181422.GH2372@shinkuro.com>=20<3efd34cc0905101319q6 04ec98ayb418a8f1f9d4889@mail.gmail.com>; bh=+luGsMWYFVILnMKGMgd1Dk9McINnzoIXYQ33IZfBux8=; b=kpnmqcTexGRjAKmOVTlEyuCaCqTuY6DmGuGUbeoJffuSXfs6clrgZPQl WDTlk2kE+OTQSw86ucWHoX4ncggk/cw8BjUPm97y88tWcRZbtNdZuHlKP eTXsfqAueQEJDO7; X-IronPort-AV: E=Sophos;i="4.40,327,1238972400"; d="scan'208";a="10056415" Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx4.nominet.org.uk with ESMTP; 11 May 2009 11:34:26 +0100 In-Reply-To: <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> To: bert hubert Cc: Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm MIME-Version: 1.0 X-Mailer: Lotus Notes Build V85_M2_08202008 August 20, 2008 Message-ID: From: "Roy Arends" Date: Mon, 11 May 2009 12:34:01 +0200 X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 11/05/2009 11:34:30 AM, Serialize complete at 11/05/2009 11:34:30 AM Content-Type: text/plain; charset="US-ASCII" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Bert Hubert wrote on 05/10/2009 10:19:26 PM: > Furthermore, as is well known (although sometimes denied) DNSSEC > remains just as vulnerable to spoofing at the delegation point as > normal DNS. The difference is that with DNSSEC, spoofing at that level > only leads to prolonged downtime. So with DNSSEC, the spoof is detected and protects the user from visiting a bogus site? Regards, Roy Arends Sr. Researcher Nominet UK -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 03:53:13 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F5423A69FB; Mon, 11 May 2009 03:53:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.063 X-Spam-Level: X-Spam-Status: No, score=-0.063 tagged_above=-999 required=5 tests=[AWL=-0.438, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zERiJe-D0EXW; Mon, 11 May 2009 03:53:12 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7E0683A6C57; Mon, 11 May 2009 03:53:12 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3T35-000Aj2-Gm for namedroppers-data0@psg.com; Mon, 11 May 2009 10:47:55 +0000 Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3T2k-000AhQ-IC for namedroppers@ops.ietf.org; Mon, 11 May 2009 10:47:47 +0000 Received: by ewy4 with SMTP id 4so3477339ewy.41 for ; Mon, 11 May 2009 03:47:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=yTd/2+CnObZYW9u9ab4CLBZaqNYVOK8qvDew0zA3uEg=; b=O+jraRy0Z8YgCXYcuEwsseED5KwhSIOpeuV5EL8ajyYBspj4t7L/3BDMqmdl2CaPM4 j3c+5DbR9ak3QslNGXwcpTCTefNJcHH7gVlxHIiyxpM76E+FLwTgSC7lYkufRxrsYS0/ KVgYthftTJgMadiU2hP4O+QF/4h5U+AHxrf50= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=sJ9V2nImyGSKOC9Erph0sBDDn/aqlHGrHNgznzBbCRwE0QAt3JY3L0Z9RIyki8Tcx2 1Ghfxn8PCqVyHmd19ICAXwb7dbC+9LprfmTKXdTzHiDLw9rJzzWqNIYTcsxD7y67J630 B7bO2090J5nX6e1zIEEN4y/9DyQLGITThuApM= MIME-Version: 1.0 Received: by 10.210.13.17 with SMTP id 17mr4623006ebm.64.1242038852638; Mon, 11 May 2009 03:47:32 -0700 (PDT) In-Reply-To: References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> From: bert hubert Date: Mon, 11 May 2009 12:47:12 +0200 Message-ID: <3efd34cc0905110347i7f090bd1rf0cac52b2990020d@mail.gmail.com> Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm To: Roy Arends Cc: Andrew Sullivan , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 11, 2009 at 12:34 PM, Roy Arends wrote: > Bert Hubert wrote on 05/10/2009 10:19:26 PM: > >> Furthermore, as is well known (although sometimes denied) DNSSEC >> remains just as vulnerable to spoofing at the delegation point as >> normal DNS. The difference is that with DNSSEC, spoofing at that level >> only leads to prolonged downtime. > > So with DNSSEC, the spoof is detected and protects the user from visiting > a bogus site? If we step back to beginning, you might find that I stated immediately after the bit you quoted that even DNSSEC would benefit from EDNS-PING or other measures. "In other words, DNSSEC benefits from EDNS0[-PING] in a significant way." Please do not see this as a 'battle' between DNSSEC and EDNS-PING. The two have very different goals. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 04:20:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65DE43A6A9F; Mon, 11 May 2009 04:20:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.165 X-Spam-Level: X-Spam-Status: No, score=-102.165 tagged_above=-999 required=5 tests=[AWL=-0.435, BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5oBPc21mUO4; Mon, 11 May 2009 04:20:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 694143A6911; Mon, 11 May 2009 04:20:21 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3TVJ-000D5O-EG for namedroppers-data0@psg.com; Mon, 11 May 2009 11:17:05 +0000 Received: from [2001:748:301::2] (helo=shinjuku.zaphods.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3TUw-000D3m-VR for namedroppers@ops.ietf.org; Mon, 11 May 2009 11:16:58 +0000 Received: from zaphodb by shinjuku.zaphods.net with local (Exim 4.69) (envelope-from ) id 1M3TUw-0003q6-9p; Mon, 11 May 2009 13:16:42 +0200 Date: Mon, 11 May 2009 13:16:42 +0200 From: Stefan Schmidt To: Andrew Sullivan Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090511111642.GA2036@zaphods.net> References: <20090508181422.GH2372@shinkuro.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090508181422.GH2372@shinkuro.com> X-Origin-AS: AS5430 X-NCC-nic-hdl: ZAP-RIPE User-Agent: Mutt/1.5.18 (2008-05-17) X-bounce-key: BOUNCE_ID;zaphodb@zaphods.net;1242040604;c8efc3ba; Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Hello Olafur, Andrew and all, On Fri, May 08, 2009 at 02:14:22PM -0400, Andrew Sullivan wrote: > 1. Do nothing, and take all energy that might be devoted to this > effort and direct it towards DNSSEC deployment. Clearly you mean development, for "DNS operations are out of scope for the WG." > 5. Officially adopt nothing, but support (2) and (3) going ahead as > individual submissions on the Informational track. (2) would > obviously need to be modified slightly to keep out any protocol items > that might be entailed. The reason (4) can't just go ahead on the > individual track is that the assignment of an EDNS0 code point > requires standards action, so the work would come back here anyway. I can only assume that by EDNS0 code point you mean an Option Code. RFC2671 7 - IANA Considerations states IESG approval should be required to create new entries in the EDNS Extended Label Type or EDNS Version Number registries, while any published RFC (including Informational, Experimental, or BCP) should be grounds for allocation of an EDNS Option Code. However as EDNS PING mandates authoritative and recursive server behaviour i would rather see it on the standards track than anywhere else. Actually i don't see the harm in adopting 2., 3. and 4. as they are rather documenting the status quo and neither of these documents say DNSSEC should not be deployed. Let's remember we're engineers, not politicians. Stefan -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 05:08:51 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03ECD3A6939; Mon, 11 May 2009 05:08:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.83 X-Spam-Level: * X-Spam-Status: No, score=1.83 tagged_above=-999 required=5 tests=[AWL=-1.790, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87, SARE_RAND_1=2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MoOz2jZArYGn; Mon, 11 May 2009 05:08:49 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3C77E3A6911; Mon, 11 May 2009 05:08:48 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3UDk-000GKD-5A for namedroppers-data0@psg.com; Mon, 11 May 2009 12:03:00 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3UD6-000GGt-B5 for namedroppers@ops.ietf.org; Mon, 11 May 2009 12:02:32 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1M3UD6-0002hf-KO; Mon, 11 May 2009 14:02:20 +0200 Received: from fweimer by bfk.de with local id 1M3UCg-0003GW-9f; Mon, 11 May 2009 14:01:54 +0200 To: bert hubert Cc: Matthijs Mekking , "W.C.A. Wijngaards" , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <3efd34cc0905110114n29d156f3i93fcc1fb27e32b1b@mail.gmail.com> <4A07EF45.5030701@nlnetlabs.nl> <3efd34cc0905110237y494c93d2mf23609d2497c519e@mail.gmail.com> From: Florian Weimer Date: Mon, 11 May 2009 14:01:54 +0200 In-Reply-To: <3efd34cc0905110237y494c93d2mf23609d2497c519e@mail.gmail.com> (bert hubert's message of "Mon, 11 May 2009 11:37:00 +0200") Message-ID: <82vdo7q24t.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * bert hubert: > Indeed, and this generates the downtime I mentioned. I am not talking > about inserting unauthenticated content. See also what Florian said > (with the aside he mentioned that he was talking about trust anchors > and not DS). I've hacked something together for a signed DS: resolver has trust anchor for se, nic.se answers without any DNSSEC-related records, query is for www.nic.se. BIND 9.6.0 sends queries to each ns{,2,3}.nic.se server at a rate which seems to be 1/(sum of RTTs), apparently based on feedback from the validator to the recursor. When I correct the broken delegation, it starts returning correct answers immediately. There are sporadic queries to the .se servers, too (but the rate is in the centihertz range, it seems). Unbound 1.2.1 behaves according to a strict valdiator/recursor separation. The whole zone remains dead for an extended period of time. Cache misses ($RANDOM.nic.se) result in upstream queries, but the SERVFAIL is sticky. Perhaps it caches the non-existence of the DNSKEY record? --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 05:24:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D1F63A6ABF; Mon, 11 May 2009 05:24:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.904 X-Spam-Level: X-Spam-Status: No, score=0.904 tagged_above=-999 required=5 tests=[AWL=-0.716, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCR0RjL-DYd4; Mon, 11 May 2009 05:24:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 981173A6911; Mon, 11 May 2009 05:24:17 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3USc-000HdT-4V for namedroppers-data0@psg.com; Mon, 11 May 2009 12:18:22 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3USJ-000Hbv-Pe for namedroppers@ops.ietf.org; Mon, 11 May 2009 12:18:16 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1M3USQ-00060l-Sj; Mon, 11 May 2009 14:18:10 +0200 Received: from fweimer by bfk.de with local id 1M3USG-0006fX-5x; Mon, 11 May 2009 14:18:00 +0200 To: Andrew Sullivan Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> From: Florian Weimer Date: Mon, 11 May 2009 14:18:00 +0200 In-Reply-To: <20090508181422.GH2372@shinkuro.com> (Andrew Sullivan's message of "Fri, 8 May 2009 14:14:22 -0400") Message-ID: <82prefq1dz.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Andrew Sullivan: > 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps > this gets included in that document, or perhaps it proceeds as part of > a set of documents. Let's leave the editorial process issues out of > the discussion, and just focus on whether we want to include this > strategy in the tool box. > > 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this > might be included as part of (2) or processed individually, but that > doesn't matter. Both drafts are not worth the WG's efforts, IMHO. On the other hand, it seems to me that the current DNSSEC implementations require a certain level of channel security to work reliably. If it turns out that source port randomization is really not good enough, DNSSEC is affected as well (even if it's just a denial of service). --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 05:36:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0356E3A6AFA; Mon, 11 May 2009 05:36:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.292 X-Spam-Level: X-Spam-Status: No, score=-4.292 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GmiSk-WAoUUm; Mon, 11 May 2009 05:36:08 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2646C3A694F; Mon, 11 May 2009 05:35:52 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Ugs-000IlR-5N for namedroppers-data0@psg.com; Mon, 11 May 2009 12:33:06 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Ugg-000IkL-6H for namedroppers@ops.ietf.org; Mon, 11 May 2009 12:32:59 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4BCVkgX032368; Mon, 11 May 2009 12:31:46 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4BCVksh032367; Mon, 11 May 2009 12:31:46 GMT Date: Mon, 11 May 2009 12:31:46 +0000 From: bmanning@vacation.karoshi.com To: Roy Arends Cc: bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090511123146.GE30624@vacation.karoshi.com.> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 11, 2009 at 12:34:01PM +0200, Roy Arends wrote: > Bert Hubert wrote on 05/10/2009 10:19:26 PM: > > > Furthermore, as is well known (although sometimes denied) DNSSEC > > remains just as vulnerable to spoofing at the delegation point as > > normal DNS. The difference is that with DNSSEC, spoofing at that level > > only leads to prolonged downtime. > > So with DNSSEC, the spoof is detected and protects the user from visiting > a bogus site? > > Regards, > > Roy Arends > Sr. Researcher > Nominet UK > Roy, you know better than that... You shoul dhave stopped here: "So with DNSSEC, the spoof is detected" What happens -after- detection is up to the application/user. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 05:52:48 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DDA63A6845; Mon, 11 May 2009 05:52:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.891 X-Spam-Level: X-Spam-Status: No, score=-4.891 tagged_above=-999 required=5 tests=[AWL=-0.713, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cOdaNCz9Q9hx; Mon, 11 May 2009 05:52:47 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8616B3A6D7E; Mon, 11 May 2009 05:52:47 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Uwg-000Knt-Fj for namedroppers-data0@psg.com; Mon, 11 May 2009 12:49:26 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3UwK-000Kl0-4p for namedroppers@ops.ietf.org; Mon, 11 May 2009 12:49:09 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4BCmxOj006380; Mon, 11 May 2009 05:48:59 -0700 (PDT) Cc: Nicholas Weaver , Andrew Sullivan , namedroppers@ops.ietf.org Message-Id: <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> From: Nicholas Weaver To: Florian Weimer In-Reply-To: <82prefq1dz.fsf@mid.bfk.de> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Mon, 11 May 2009 05:48:59 -0700 References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 11, 2009, at 5:18 AM, Florian Weimer wrote: > * Andrew Sullivan: > >> 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps >> this gets included in that document, or perhaps it proceeds as part >> of >> a set of documents. Let's leave the editorial process issues out of >> the discussion, and just focus on whether we want to include this >> strategy in the tool box. >> >> 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this >> might be included as part of (2) or processed individually, but that >> doesn't matter. > > Both drafts are not worth the WG's efforts, IMHO. I can see such an argument against EDNS0-ping, but what is your argument against 0x20? 0x20 is just about as validated-as-you-can-get already within the current DNS operations. > On the other hand, it seems to me that the current DNSSEC > implementations require a certain level of channel security to work > reliably. If it turns out that source port randomization is really > not good enough, DNSSEC is affected as well (even if it's just a > denial of service). I don't think this denial of service is all that significant, because there are easy fallbacks for such failures to generate new requests (it sounds like thats what Bind does already), and any resolver with DNSSEC is still going to need source port randomization for all the stuff that isn't DNSSEC yet. There are far better things for an attacker to do than waste 2^30+ packets in that way. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 06:19:13 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F36E3A6B64; Mon, 11 May 2009 06:19:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.933 X-Spam-Level: X-Spam-Status: No, score=0.933 tagged_above=-999 required=5 tests=[AWL=-0.687, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTsxQ9nEBJkk; Mon, 11 May 2009 06:19:11 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DD4933A6AE1; Mon, 11 May 2009 06:19:10 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3VLK-000NwO-UA for namedroppers-data0@psg.com; Mon, 11 May 2009 13:14:54 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3VL8-000NtP-P7 for namedroppers@ops.ietf.org; Mon, 11 May 2009 13:14:48 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1M3VLE-0004ZB-7u; Mon, 11 May 2009 15:14:48 +0200 Received: from fweimer by bfk.de with local id 1M3VL3-00006u-Gt; Mon, 11 May 2009 15:14:37 +0200 To: Nicholas Weaver Cc: Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> From: Florian Weimer Date: Mon, 11 May 2009 15:14:37 +0200 In-Reply-To: <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> (Nicholas Weaver's message of "Mon, 11 May 2009 05:48:59 -0700") Message-ID: <82ab5jpyrm.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Nicholas Weaver: > I can see such an argument against EDNS0-ping, but what is your > argument against 0x20? Among other things, it only adds two bits of security for ccTLDs, and zero bits for the root. Consequently, you need the full range of cache hardening before 0x20 turns effective. I find it hard to believe that we'll see significant movement in that direction. In fact, I fear that EDNS0 PING is easier to implement. [DNSSEC and channel security] > I don't think this denial of service is all that significant, If you actually need to send those 2**30 packets, I'd agree. But who knows if you have to for a particular network setup? > because there are easy fallbacks for such failures to generate new > requests (it sounds like thats what Bind does already) I'm not sure if this is a feasible general strategy because it results in high load for incorrectly signed zones (as observed with isc.dlv.org, see Michael Graff, "Unplanned DLV zone outage on 2009-Apr-06", <49DA5F27.4020005@isc.org>, posted to the dns-operations mailing list). --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 06:29:21 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCBAF3A6CB5; Mon, 11 May 2009 06:29:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.876 X-Spam-Level: X-Spam-Status: No, score=-4.876 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hd-b5ZlkVRAb; Mon, 11 May 2009 06:29:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F26FB3A6B92; Mon, 11 May 2009 06:29:20 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3VWJ-000Plb-JY for namedroppers-data0@psg.com; Mon, 11 May 2009 13:26:15 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3VW5-000PkC-Ry for namedroppers@ops.ietf.org; Mon, 11 May 2009 13:26:09 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4BDPvs1010375; Mon, 11 May 2009 06:25:57 -0700 (PDT) Cc: Nicholas Weaver , Andrew Sullivan , namedroppers@ops.ietf.org Message-Id: <0C5FFFFE-798C-448B-831B-008EC1575C2B@ICSI.Berkeley.EDU> From: Nicholas Weaver To: Florian Weimer In-Reply-To: <82ab5jpyrm.fsf@mid.bfk.de> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Mon, 11 May 2009 06:25:57 -0700 References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 11, 2009, at 6:14 AM, Florian Weimer wrote: >> I don't think this denial of service is all that significant, > > If you actually need to send those 2**30 packets, I'd agree. But who > knows if you have to for a particular network setup? If its "no port randomization, full race-until-win, 2^16 packets", this would be a seriously broken DNS resolver. How often do you expect such seriously broken DNS resolvers to properly implement DNSSEC? And how many of those would be worth DoSing? >> because there are easy fallbacks for such failures to generate new >> requests (it sounds like thats what Bind does already) > > I'm not sure if this is a feasible general strategy because it results > in high load for incorrectly signed zones (as observed with > isc.dlv.org, see Michael Graff, "Unplanned DLV zone outage on > 2009-Apr-06", <49DA5F27.4020005@isc.org>, posted to the dns-operations > mailing list). If you want DNSSEC deployed, mechanisms which punish incorrectly signed zones with significant load should be regarded as a feature, not a bug. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 06:36:16 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77BCF3A6AE1; Mon, 11 May 2009 06:36:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.959 X-Spam-Level: X-Spam-Status: No, score=0.959 tagged_above=-999 required=5 tests=[AWL=-0.661, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZodQNxNYNb3; Mon, 11 May 2009 06:36:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4E3503A6839; Mon, 11 May 2009 06:36:04 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Vd3-0000Pc-2b for namedroppers-data0@psg.com; Mon, 11 May 2009 13:33:13 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Vci-0000OO-A4 for namedroppers@ops.ietf.org; Mon, 11 May 2009 13:33:06 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1M3Vcm-0006qS-In; Mon, 11 May 2009 15:32:56 +0200 Received: from fweimer by bfk.de with local id 1M3Vcb-0003K6-H8; Mon, 11 May 2009 15:32:45 +0200 To: Nicholas Weaver Cc: Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <0C5FFFFE-798C-448B-831B-008EC1575C2B@ICSI.Berkeley.EDU> From: Florian Weimer Date: Mon, 11 May 2009 15:32:45 +0200 In-Reply-To: <0C5FFFFE-798C-448B-831B-008EC1575C2B@ICSI.Berkeley.EDU> (Nicholas Weaver's message of "Mon, 11 May 2009 06:25:57 -0700") Message-ID: <82y6t3ojcy.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Nicholas Weaver: > If you want DNSSEC deployed, mechanisms which punish incorrectly > signed zones with significant load should be regarded as a feature, > not a bug. I think this joke in rather bad taste. Certainly, fear of accidental self-DoS (and not just zone unavailability, but actual packetting) will not help deployment at all! --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 07:35:17 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1564328C150; Mon, 11 May 2009 07:35:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.847 X-Spam-Level: X-Spam-Status: No, score=-0.847 tagged_above=-999 required=5 tests=[AWL=-1.718, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, SARE_MLH_Stock1=0.87, SARE_RAND_1=2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPT3OYvci5Kf; Mon, 11 May 2009 07:35:16 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3481328C14D; Mon, 11 May 2009 07:35:16 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3WV0-0007s4-HU for namedroppers-data0@psg.com; Mon, 11 May 2009 14:28:58 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3WUa-0007pH-Cw for namedroppers@ops.ietf.org; Mon, 11 May 2009 14:28:51 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id D7940A196D; Mon, 11 May 2009 14:28:26 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "W.C.A. Wijngaards" cc: bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: Your message of "Mon, 11 May 2009 09:47:14 +0200." <4A07D802.9050400@nlnetlabs.nl> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 11 May 2009 14:28:26 +0000 Message-ID: <83281.1242052106@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Mon, 11 May 2009 09:47:14 +0200 > From: "W.C.A. Wijngaards" > > I am sorry, but spoofing at the delegation level does not lead to > prolonged downtime with DNSSEC. Validators usually wait a short while > before the bogus data is flushed out of the cache, but this is not > 'prolonged'. Can you give details on this denial-of-service? if dnssec isn't secure then we'll have to fix it. but this would not be an argument for dropping it in favour of hop-by-hop measures. at best we may have to do more hop-by-hop to make sure end-to-end is safe. but for the future of dns itself we need end-to-end security at whatever cost. somebody pointed out to me a week ago that one of the kaminsky variants works fine across a dnssec-secured delegation point where the parent and child are both signed and the signatures are all valid, since the NS RRset coming from the parent does not have signatures in the delegation response. so, a query for $random.$victim opens a race window during which a poison NS RRset could be inserted for $victim. perhaps this is the flaw referred to above. i very much wish that i had learned the lesson of SRV naming more completely. had we put our NSEC[3]'s, RRSIG's and DS's at _$type._DNSSEC.$object rather than at $object, they would be in-zone even at delegation points, and the only ambiguity would be that the two NS RRsets (one in parent, one in child) would each have its own RRSIG, and it would be nec'y to remember the context in which it had been heard when deciding what signature it had to match. we would then be able to query for them if they expire or are purged earlier than the objects they cover. and more importantly after kaminsky's 2008 summer of fear, delegations would all be signed. i apologize for not thinking of this five years ago. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 07:58:05 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 61BA43A6D1C; Mon, 11 May 2009 07:58:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.27 X-Spam-Level: * X-Spam-Status: No, score=1.27 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRG1Nd-lP-Eo; Mon, 11 May 2009 07:58:04 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 09CAD3A6A92; Mon, 11 May 2009 07:58:04 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3WtK-000Bru-VQ for namedroppers-data0@psg.com; Mon, 11 May 2009 14:54:06 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Wt8-000Bq4-EJ for namedroppers@ops.ietf.org; Mon, 11 May 2009 14:54:00 +0000 Received: from crankycanuck.ca (static-68-179-76-140.ptr.terago.net [68.179.76.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 19AAC2FE9574 for ; Mon, 11 May 2009 14:53:51 +0000 (UTC) Date: Mon, 11 May 2009 10:53:49 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090511145348.GB3487@shinkuro.com> References: <20090508181422.GH2372@shinkuro.com> <20090511111642.GA2036@zaphods.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090511111642.GA2036@zaphods.net> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Dear colleagues, This is just to clarify the options before us. No decision is made; neither is any bias implied. On Mon, May 11, 2009 at 01:16:42PM +0200, Stefan Schmidt wrote: > > > 1. Do nothing, and take all energy that might be devoted to this > > effort and direct it towards DNSSEC deployment. > > Clearly you mean development, for > "DNS operations are out of scope for the WG." No, we meant deployment. It means that there would not be work for _this working group_ to do. We labour under the assumption that the talented, DNSSEC-clueful participants in this WG would direct their energies towards deployment if they did not have this WG distracting them with new protocols to develop. This is perhaps a faulty assumption. In any case, we have heard more than once that people outside the DNSEXT WG are waiting for the DNS weenies to settle finally on something, so they can deploy whatever they're going to deploy only once. I don't know whether that is true, but supposing it is, that might be another way of directing energy towards deployment (again, without this WG actually doing anything. Standing still and being silent is also doing something, after all). > I can only assume that by EDNS0 code point you mean an Option Code. Yes. This mistake in wording is my fault, not Olafur's. I should have been more precise. My apologies, and thank you for the clarification. A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 07:58:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F73A28C174; Mon, 11 May 2009 07:58:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.675 X-Spam-Level: X-Spam-Status: No, score=-1.675 tagged_above=-999 required=5 tests=[AWL=-0.546, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtXos4MHEYJA; Mon, 11 May 2009 07:58:35 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 33C9428C171; Mon, 11 May 2009 07:58:35 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Wqr-000BRA-UV for namedroppers-data0@psg.com; Mon, 11 May 2009 14:51:33 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Wqe-000BN8-K7 for namedroppers@ops.ietf.org; Mon, 11 May 2009 14:51:27 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 21789A197B; Mon, 11 May 2009 14:51:15 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: bert hubert cc: Roy Arends , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: Your message of "Mon, 11 May 2009 12:47:12 +0200." <3efd34cc0905110347i7f090bd1rf0cac52b2990020d@mail.gmail.com> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <3efd34cc0905110347i7f090bd1rf0cac52b2990020d@mail.gmail.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 11 May 2009 14:51:15 +0000 Message-ID: <84174.1242053475@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: bert hubert > Date: Mon, 11 May 2009 12:47:12 +0200 > ... > "In other words, DNSSEC benefits from EDNS0[-PING] in a significant way." my reasons for not pursuing a longer QID during the original EDNS work, and my reasons for not pursuing an optional QID extension during kaminsky's 2008 summer of fear, are that EDNS is always optional, and always has fallback, and the only state storage is a recommendation not a requirement, and that recommendation has symmetric value to requestors and responders. i'm sorry that i've been somewhat pissy about the people who assume i was ignorant of the need for a larger QID when EDNS was prepared, or that the omission was not completely deliberate on my part. i'll try to adopt a better tone. my reasons for not supporting the EDNS0 PING work is that it changes all of those things. folks who worry about the extra traffic from the extra queries when EDNS0 PING is ignored are missing an even larger problem, which is that in a rapidly changing zone (for example where the target RRset changes on every query, with corresponding monotonic increases in SOA.SERIAL) will never converge. so even if every initiator was willing to add mandatory state for a requery when a response came back without EDNS0 PING (which isn't likely) we'd be faced with undefined conditions. in other words if a response comes back without EDNS0 PING then you still have to believe it -- so why bother? however, i am intrigued by what bert said above about DNSSEC benefitting from something like EDNS0 PING. what if instead of the DO bit, the signalling for DNSSEC awareness had been a DO+PING? i think it's early enough in the deployment of DNSSEC that a new rule like "delegation responses from servers who don't also answer PING will cause a requery, and if the responses aren't the same, return SERVFAIL for now and try again later." note that this makes the dangerous assumption that NS RRsets won't delta on every response in the way that other RRsets are known to do. that may be fatally overoptimistic and i am not myself sure whether i'm in favour of this idea. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 08:15:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 313E728C131; Mon, 11 May 2009 08:15:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.984 X-Spam-Level: * X-Spam-Status: No, score=1.984 tagged_above=-999 required=5 tests=[AWL=-1.636, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87, SARE_RAND_1=2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0vLu1lTD2VJ; Mon, 11 May 2009 08:15:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2A4773A67F0; Mon, 11 May 2009 08:15:16 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3X9p-000EON-Qe for namedroppers-data0@psg.com; Mon, 11 May 2009 15:11:09 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3X9d-000EMr-62 for namedroppers@ops.ietf.org; Mon, 11 May 2009 15:11:03 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1M3X9c-0003sS-4y; Mon, 11 May 2009 17:10:56 +0200 Received: from fweimer by bfk.de with local id 1M3X9R-0002aZ-2C; Mon, 11 May 2009 17:10:45 +0200 To: Paul Vixie Cc: "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> From: Florian Weimer Date: Mon, 11 May 2009 17:10:45 +0200 In-Reply-To: <83281.1242052106@nsa.vix.com> (Paul Vixie's message of "Mon, 11 May 2009 14:28:26 +0000") Message-ID: <82prefn096.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Paul Vixie: > somebody pointed out to me a week ago that one of the kaminsky variants > works fine across a dnssec-secured delegation point where the parent and > child are both signed and the signatures are all valid, since the NS RRset > coming from the parent does not have signatures in the delegation respons= e. > so, a query for $random.$victim opens a race window during which a poison > NS RRset could be inserted for $victim. perhaps this is the flaw referred > to above. All data is signed somewhere, so you could use DNSSEC to detect this. It's difficult to get this right without running in too many circles, but it should be be possible if it is done early (that is, not just when validation fails). --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 08:24:55 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 795E628C141; Mon, 11 May 2009 08:24:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.862 X-Spam-Level: X-Spam-Status: No, score=-4.862 tagged_above=-999 required=5 tests=[AWL=-0.684, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HiV13STgQpgn; Mon, 11 May 2009 08:24:54 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7E9A53A696E; Mon, 11 May 2009 08:24:54 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XK5-000G1m-MQ for namedroppers-data0@psg.com; Mon, 11 May 2009 15:21:45 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XJt-000Fyo-4z for namedroppers@ops.ietf.org; Mon, 11 May 2009 15:21:39 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4BFLShl024658; Mon, 11 May 2009 08:21:28 -0700 (PDT) Cc: Nicholas Weaver , Andrew Sullivan , namedroppers@ops.ietf.org Message-Id: <344511CD-98C4-49DC-A03E-4E2F50B08A7A@ICSI.Berkeley.EDU> From: Nicholas Weaver To: Florian Weimer In-Reply-To: <82y6t3ojcy.fsf@mid.bfk.de> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Mon, 11 May 2009 08:21:28 -0700 References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <0C5FFFFE-798C-448B-831B-008EC1575C2B@ICSI.Berkeley.EDU> <82y6t3ojcy.fsf@mid.bfk.de> X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 11, 2009, at 6:32 AM, Florian Weimer wrote: > * Nicholas Weaver: > >> If you want DNSSEC deployed, mechanisms which punish incorrectly >> signed zones with significant load should be regarded as a feature, >> not a bug. > > I think this joke in rather bad taste. Certainly, fear of accidental > self-DoS (and not just zone unavailability, but actual packetting) > will not help deployment at all! This actually isn't entirely a joke. If DNSSEC is to do anything at all, such a case would be a DOS anyway: you names just don't resolve. Otherwise, why have DNSSEC on the resolver at all if you simply ignore signature failures?!? It is this silent failure on misconfiguration/screwup is the real DOS worry: its incredibly frustrating to get "your name isn't resolving" as feedback but no idea why. As the author of a deliberately standard- incompliant DNS authority, trust me on this... At least if the site sees load as a result of the screwup, this acts as an implicit notification that there is a problem, which is far more useful than a silent failure. Anyway, with an exponential backoff on retries, this isn't a real DoS anyway, just really enough to get your attention, unless you are a really really big site and running on the ragged edge. Likewise, proposals which cause load on those who don't sign at all really should be viewed as features: explicit punishment for not upgrading to DNSSEC is one of the biggest incentives for people to want to deploy DNSSEC, especially when deploying DNSSEC wrong IS a DoS of your name. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 08:33:46 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 14AEE3A6F70; Mon, 11 May 2009 08:33:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.925 X-Spam-Level: X-Spam-Status: No, score=-0.925 tagged_above=-999 required=5 tests=[AWL=-1.196, BAYES_00=-2.599, SARE_MLH_Stock1=0.87, SARE_RAND_1=2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8UNUh5soDqk; Mon, 11 May 2009 08:33:45 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C94563A6CB5; Mon, 11 May 2009 08:33:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XS5-000H7b-S6 for namedroppers-data0@psg.com; Mon, 11 May 2009 15:30:01 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XRr-000H6e-14 for namedroppers@ops.ietf.org; Mon, 11 May 2009 15:29:54 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 498C4A1984; Mon, 11 May 2009 15:29:46 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Florian Weimer cc: "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: Your message of "Mon, 11 May 2009 17:10:45 +0200." <82prefn096.fsf@mid.bfk.de> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> <82prefn096.fsf@mid.bfk.de> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 11 May 2009 15:29:46 +0000 Message-ID: <85796.1242055786@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: Florian Weimer > Date: Mon, 11 May 2009 17:10:45 +0200 > > * Paul Vixie: > > > somebody pointed out to me a week ago that one of the kaminsky variants > > works fine across a dnssec-secured delegation point where the parent > > and child are both signed and the signatures are all valid, since the > > NS RRset coming from the parent does not have signatures in the > > delegation response. so, a query for $random.$victim opens a race > > window during which a poison NS RRset could be inserted for $victim. > > perhaps this is the flaw referred to above. > > All data is signed somewhere, so you could use DNSSEC to detect this. sadly, the data in this case is not signed anywhere. there's no "empty DS" in a delegation to tell a validator that a delegation isn't signed. the way DNSSEC expresses an unsigned delegation is an NS RRset in the authority section, which can be substituted by an kaminsky-inspired attacker. there may not be any DNSSEC data at the child. so there's no way for a validator to differentiate between a legitimate unsigned delegation, as against a poisoned unsigned delegation designed to replace a legitimate signed/unsigned delegation. > It's difficult to get this right without running in too many circles, > but it should be be possible if it is done early (that is, not just > when validation fails). after reading the rest of this thread i agree with bert that this problem exists. however, i also agree with roy that this is a corner case and does not by itself invalidate the DNSSEC model. there are two benefits to DNSSEC, one being to protect the infrastructure (which includes the delegation chain) and one is to enable a new class of internet applications who behave differently in the presence of end-to-end dns security (such as a new way of deciding whether to trust an SSL key). it's sad that we have to believe an unsigned delegation even though it could be spoofed. but a signed delegation leading to provably authentic data is still in force. also, source port randomization more or less rules this attack out. do i wish we had a longer QID? you betcha. will i lose sleep over it? not so. if somebody *is* losing sleep over this, then channel (hop by hop) security is only one possible option. and DNSSEC-only channel security (like DO+PING) should be considered, since this is a DNSSEC problem. by the way, ed lewis kindly pointed out that my SRV-related message had the wrong number of labels in its example. i meant to say that if all DNSSEC metadata were under a _DNSSEC subdomain at the zone apex, then none of it would share nodes with children or with the targets. so instead of a DS RR at "DNSSEC.SE" there would be a DS RR at DNSSEC._DNSSEC.SE. and there would be an RRSIG RR at DNSSEC._DNSSEC.SE covering the NS RR at DNSSEC.SE in the .SE zone. sorry for being fast and loose before. and note that this is not a proposal for changing DNSSEC, so much as denoting a missed opportunity. (the _DNSSEC subdomain would never be a delegation point, nor have delegation points below it, and it would always be at the zone apex.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 08:36:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79FD43A6CA7; Mon, 11 May 2009 08:36:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.472 X-Spam-Level: X-Spam-Status: No, score=0.472 tagged_above=-999 required=5 tests=[AWL=-2.503, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_31=0.6, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87, SARE_RAND_1=2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUovuuNDgQK8; Mon, 11 May 2009 08:36:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 961103A6C78; Mon, 11 May 2009 08:36:21 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XTs-000HIM-FU for namedroppers-data0@psg.com; Mon, 11 May 2009 15:31:52 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XTf-000HGn-0h for namedroppers@ops.ietf.org; Mon, 11 May 2009 15:31:45 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4BFVXST091018; Mon, 11 May 2009 11:31:33 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905111531.n4BFVXST091018@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 11 May 2009 11:31:26 -0400 To: Paul Vixie From: Olafur Gudmundsson Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Cc: namedroppers@ops.ietf.org In-Reply-To: <83281.1242052106@nsa.vix.com> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 10:28 11/05/2009, Paul Vixie wrote: > > Date: Mon, 11 May 2009 09:47:14 +0200 > > From: "W.C.A. Wijngaards" > > > > I am sorry, but spoofing at the delegation level does not lead to > > prolonged downtime with DNSSEC. Validators usually wait a short while > > before the bogus data is flushed out of the cache, but this is not > > 'prolonged'. Can you give details on this denial-of-service? > >if dnssec isn't secure then we'll have to fix it. but this would not be >an argument for dropping it in favour of hop-by-hop measures. at best we >may have to do more hop-by-hop to make sure end-to-end is safe. but for >the future of dns itself we need end-to-end security at whatever cost. > >somebody pointed out to me a week ago that one of the kaminsky variants >works fine across a dnssec-secured delegation point where the parent and >child are both signed and the signatures are all valid, since the NS RRset >coming from the parent does not have signatures in the delegation response. >so, a query for $random.$victim opens a race window during which a poison >NS RRset could be inserted for $victim. perhaps this is the flaw referred >to above. > >i very much wish that i had learned the lesson of SRV naming more >completely. had we put our NSEC[3]'s, RRSIG's and DS's at >_$type._DNSSEC.$object rather than at $object, they would be in-zone even >at delegation points, and the only ambiguity would be that the two NS >RRsets (one in parent, one in child) would each have its own RRSIG, and it >would be nec'y to remember the context in which it had been heard when >deciding what signature it had to match. we would then be able to query >for them if they expire or are purged earlier than the objects they cover. >and more importantly after kaminsky's 2008 summer of fear, delegations >would all be signed. i apologize for not thinking of this five years ago. Historical note: This is similar to what NO draft proposed: http://tools.ietf.org/html/draft-ietf-dnsext-not-existing-rr-01 Olafur -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 08:36:31 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F7AA3A6CA7; Mon, 11 May 2009 08:36:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.276 X-Spam-Level: X-Spam-Status: No, score=-4.276 tagged_above=-999 required=5 tests=[AWL=-0.651, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oucJ9wJj140S; Mon, 11 May 2009 08:36:30 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5AB003A6C78; Mon, 11 May 2009 08:36:30 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XUu-000HPG-UZ for namedroppers-data0@psg.com; Mon, 11 May 2009 15:32:56 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XUc-000HMM-4n for namedroppers@ops.ietf.org; Mon, 11 May 2009 15:32:49 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4BFSAgX001493; Mon, 11 May 2009 15:28:10 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4BFSArr001492; Mon, 11 May 2009 15:28:10 GMT Date: Mon, 11 May 2009 15:28:10 +0000 From: bmanning@vacation.karoshi.com To: Paul Vixie Cc: "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090511152810.GB827@vacation.karoshi.com.> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <83281.1242052106@nsa.vix.com> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 11, 2009 at 02:28:26PM +0000, Paul Vixie wrote: > > Date: Mon, 11 May 2009 09:47:14 +0200 > > From: "W.C.A. Wijngaards" > > > > I am sorry, but spoofing at the delegation level does not lead to > > prolonged downtime with DNSSEC. Validators usually wait a short while > > before the bogus data is flushed out of the cache, but this is not > > 'prolonged'. Can you give details on this denial-of-service? > > if dnssec isn't secure then we'll have to fix it. but this would not be > an argument for dropping it in favour of hop-by-hop measures. at best we > may have to do more hop-by-hop to make sure end-to-end is safe. but for > the future of dns itself we need end-to-end security at whatever cost. > > > i very much wish that i had learned the lesson of SRV naming more completely. good thing you never stop learning. > i apologize for not thinking of this five years ago. you are not personally responsible here. the design model was fixed last century - so the haq you enumerated only corrects someof the symptoms. To truely correct the problem, DNSSEC should have RRset granularity, not zone granularity... but thats a much larger discussion. --bill > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 09:03:21 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EE0628C157; Mon, 11 May 2009 09:03:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.342 X-Spam-Level: ** X-Spam-Status: No, score=2.342 tagged_above=-999 required=5 tests=[AWL=-1.878, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, J_CHICKENPOX_32=0.6, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87, SARE_RAND_1=2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIzcypa8yCFB; Mon, 11 May 2009 09:03:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B5C7728C159; Mon, 11 May 2009 09:03:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3Xui-000K4T-9q for namedroppers-data0@psg.com; Mon, 11 May 2009 15:59:36 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3XuT-000K2z-2l for namedroppers@ops.ietf.org; Mon, 11 May 2009 15:59:29 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1M3XuT-0001mN-FK; Mon, 11 May 2009 17:59:21 +0200 Received: from fweimer by bfk.de with local id 1M3XuE-0005S2-Bv; Mon, 11 May 2009 17:59:07 +0200 To: Paul Vixie Cc: "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> <82prefn096.fsf@mid.bfk.de> <85796.1242055786@nsa.vix.com> From: Florian Weimer Date: Mon, 11 May 2009 17:59:05 +0200 In-Reply-To: <85796.1242055786@nsa.vix.com> (Paul Vixie's message of "Mon, 11 May 2009 15:29:46 +0000") Message-ID: <824ovrmy0m.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Paul Vixie: >> > somebody pointed out to me a week ago that one of the kaminsky variants >> > works fine across a dnssec-secured delegation point where the parent >> > and child are both signed and the signatures are all valid, since the >> > NS RRset coming from the parent does not have signatures in the >> > delegation response. so, a query for $random.$victim opens a race >> > window during which a poison NS RRset could be inserted for $victim. >> > perhaps this is the flaw referred to above. >>=20 >> All data is signed somewhere, so you could use DNSSEC to detect this. > > sadly, the data in this case is not signed anywhere. there's no "empty D= S" > in a delegation to tell a validator that a delegation isn't signed. Huh? There's an NSEC with no bit set for the DS RRset. Are you sure you don't look at it when validating? I can't believe this. (I think this has been proposed as the "SO" variant of DNSSEC.) > the way DNSSEC expresses an unsigned delegation is an NS RRset in > the authority section, which can be substituted by an > kaminsky-inspired attacker. there may not be any DNSSEC data at the > child. so there's no way for a validator to differentiate between a > legitimate unsigned delegation, as against a poisoned unsigned > delegation designed to replace a legitimate signed/unsigned > delegation. Right, DNSSEC does not offer any protection for zones which aren't signed. However, you can make attacks somewhat harder if you validate the NS set of the parent zone (including its addresses), to make sure that you get the data from the right place. This would defuse one Kaminsky-style attack where you target the authority information in the parent zone (which you'll never notice if the attacker dutifully answers with correct DNSSEC data to queries with the DO bit---so perhaps "always set DO" isn't such a bad policy after all). So with careful resolver implementation, there is *some* benefit for unsigned children of signed parents, too. >> It's difficult to get this right without running in too many circles, >> but it should be be possible if it is done early (that is, not just >> when validation fails). > > after reading the rest of this thread i agree with bert that this problem > exists. however, i also agree with roy that this is a corner case and do= es > not by itself invalidate the DNSSEC model. Yes. We only have a problem if implementors refuse to work around it, and it turns out that the level of channel security we've got is not sufficient. > there are two benefits to DNSSEC, one being to protect the > infrastructure (which includes the delegation chain) And we need it. > and one is to enable a new class of internet applications who behave > differently in the presence of end-to-end dns security (such as a > new way of deciding whether to trust an SSL key). Masataka Ohta offered a very succinct answer to such claims about new applications: | DNSSEC is not secure end to end and is useless. |=20 | DNSSEC is secure, at most, zone hop by zone hop, which is as secure as | plain old DNS with NZ hop by NS hop security. I think he's right with regard to new applications, but he's wrong as far as infrastructure protection is concerned. > by the way, ed lewis kindly pointed out that my SRV-related message had t= he > wrong number of labels in its example. i meant to say that if all DNSSEC > metadata were under a _DNSSEC subdomain at the zone apex, then none of it > would share nodes with children or with the targets. so instead of a DS = RR > at "DNSSEC.SE" there would be a DS RR at DNSSEC._DNSSEC.SE. and there > would be an RRSIG RR at DNSSEC._DNSSEC.SE covering the NS RR at DNSSEC.SE > in the .SE zone. Yes, this makes more sense, I suspected this. The major benefit would have been that you could delegate _DNSSEC.SE to a different server and offload any DNSSEC-related activity from your main, production servers. (We still could have something similar with a DLV+NS combo.) --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From cgonzale2@corpbanca.cl Mon May 11 09:17:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F2643A69A9; Mon, 11 May 2009 09:17:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -37.469 X-Spam-Level: X-Spam-Status: No, score=-37.469 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, GB_ROLEX=5, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, J_CHICKENPOX_42=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_SPEC_ROLEX_NOV5A=1.062, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gkTvtM2b7Ko; Mon, 11 May 2009 09:17:23 -0700 (PDT) Received: from h94-75-29-80.ufamts.ru (h94-75-29-80.ufamts.ru [94.75.29.80]) by core3.amsl.com (Postfix) with SMTP id 4265E28C145; Mon, 11 May 2009 09:17:11 -0700 (PDT) From: "Elbert Chambers" TO: <"aaa-archive@lists.ietf.org, atommib-archive@lists.ietf.org, capwap-archive@lists.ietf.org, dnsext-archive@lists.ietf.org, idn-archive"@lists.ietf.org> Subject: Get one of these awesome rep Date: Mon, 11 May 2009 12:18:42 -0500 Message-ID: <07147pgyv044FQFELaaa-archive@lists.ietf.org> Content-Type: text/plain; Content-Transfer-Encoding: 7Bit There's no time like the present, and isn't it time you got yourself a beautiful designer watch? http://vjowwvi.cn At Diam0nd Reps you will find exactly the watch you're looking for, at prices that will make you blink twice. That's right! Here you can get a Rolex, a Breitling, a Tag or pretty much every fine brand timepiece for less than ten percent their original price! http://vjowwvi.cn Click here now and enjoy our fast shipping and safe billing method while getting the most realistic look on a fine reproduction timepiece. From owner-namedroppers@ops.ietf.org Mon May 11 11:59:31 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E04453A6BE9; Mon, 11 May 2009 11:59:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.825 X-Spam-Level: X-Spam-Status: No, score=-1.825 tagged_above=-999 required=5 tests=[AWL=-0.096, BAYES_00=-2.599, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbEVxVr1upPE; Mon, 11 May 2009 11:59:31 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E7E473A68EE; Mon, 11 May 2009 11:59:30 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3aXb-0006fd-HW for namedroppers-data0@psg.com; Mon, 11 May 2009 18:47:55 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3aXJ-0006eT-O9 for namedroppers@ops.ietf.org; Mon, 11 May 2009 18:47:47 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 2E434A19B1; Mon, 11 May 2009 18:47:32 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Florian Weimer cc: "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: Your message of "Mon, 11 May 2009 17:59:05 +0200." <824ovrmy0m.fsf@mid.bfk.de> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> <82prefn096.fsf@mid.bfk.de> <85796.1242055786@nsa.vix.com> <824ovrmy0m.fsf@mid.bfk.de> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 11 May 2009 18:47:32 +0000 Message-ID: <93815.1242067652@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: Florian Weimer > Date: Mon, 11 May 2009 17:59:05 +0200 > ... > > sadly, the data in this case is not signed anywhere. there's no "empty > > DS" in a delegation to tell a validator that a delegation isn't signed. > > Huh? There's an NSEC with no bit set for the DS RRset. Are you sure > you don't look at it when validating? I can't believe this. i am not sure, no. but the person who told me to worry about this is more of a dnssec protocol expert than me, and so i'd like others here to chime in on this question. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 12:59:35 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2761B3A68D7; Mon, 11 May 2009 12:59:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.112 X-Spam-Level: X-Spam-Status: No, score=-5.112 tagged_above=-999 required=5 tests=[AWL=-1.487, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxIVKHvhexx5; Mon, 11 May 2009 12:59:34 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 39B7E3A67E9; Mon, 11 May 2009 12:59:34 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3bYv-000BST-5m for namedroppers-data0@psg.com; Mon, 11 May 2009 19:53:21 +0000 Received: from [65.201.175.9] (helo=cliffie.verisignlabs.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3bYj-000BRE-Cp for namedroppers@ops.ietf.org; Mon, 11 May 2009 19:53:15 +0000 Received: from monsoon.verisignlabs.com (scooter.bo.labs.vrsn.com [172.25.170.10]) by cliffie.verisignlabs.com (Postfix) with ESMTP id 20F1F1366F0; Mon, 11 May 2009 15:53:08 -0400 (EDT) Received: from dul1mcmlarson-l1.labs.vrsn.com (dul1mcmlarson-l1.labs.vrsn.com [10.131.244.205]) by monsoon.verisignlabs.com (Postfix) with ESMTP id 17D182422EF; Mon, 11 May 2009 15:53:08 -0400 (EDT) Date: Mon, 11 May 2009 15:53:08 -0400 From: Matt Larson To: Paul Vixie Cc: Florian Weimer , "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090511195307.GF385@dul1mcmlarson-l1.labs.vrsn.com> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> <82prefn096.fsf@mid.bfk.de> <85796.1242055786@nsa.vix.com> <824ovrmy0m.fsf@mid.bfk.de> <93815.1242067652@nsa.vix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <93815.1242067652@nsa.vix.com> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, 11 May 2009, Paul Vixie wrote: > > From: Florian Weimer > > Date: Mon, 11 May 2009 17:59:05 +0200 > > ... > > > sadly, the data in this case is not signed anywhere. there's no "empty > > > DS" in a delegation to tell a validator that a delegation isn't signed. > > > > Huh? There's an NSEC with no bit set for the DS RRset. Are you sure > > you don't look at it when validating? I can't believe this. > > i am not sure, no. but the person who told me to worry about this is more > of a dnssec protocol expert than me, and so i'd like others here to chime > in on this question. I'm not understanding your original comment, either, Paul. A referral to an unsigned delegation includes a signed NSEC with no DS bit as Florian described, which is an unambiguous assertion that the delegation exists and is unsigned. The situation is similar but not exactly the same in an NSEC3/Opt-Out zone, where the NSEC3 record(s) prove only that the delegation is unsigned. (I.e., it is possible to spoof an unsigned delegation into existence in an Opt-Out zone.) Matt -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 14:17:45 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 35F3228C153; Mon, 11 May 2009 14:17:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.818 X-Spam-Level: X-Spam-Status: No, score=-1.818 tagged_above=-999 required=5 tests=[AWL=-0.089, BAYES_00=-2.599, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6XlPbg2Btap; Mon, 11 May 2009 14:17:44 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4D2C73A6821; Mon, 11 May 2009 14:17:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3clG-000HEn-J3 for namedroppers-data0@psg.com; Mon, 11 May 2009 21:10:10 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3cl3-000HE6-9j for namedroppers@ops.ietf.org; Mon, 11 May 2009 21:10:03 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id D190AA19E3; Mon, 11 May 2009 21:09:51 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Matt Larson cc: Florian Weimer , "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: Your message of "Mon, 11 May 2009 15:53:08 -0400." <20090511195307.GF385@dul1mcmlarson-l1.labs.vrsn.com> References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> <83281.1242052106@nsa.vix.com> <82prefn096.fsf@mid.bfk.de> <85796.1242055786@nsa.vix.com> <824ovrmy0m.fsf@mid.bfk.de> <93815.1242067652@nsa.vix.com> <20090511195307.GF385@dul1mcmlarson-l1.labs.vrsn.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 11 May 2009 21:09:51 +0000 Message-ID: <99637.1242076191@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Mon, 11 May 2009 15:53:08 -0400 > From: Matt Larson > > > > > sadly, the data in this case is not signed anywhere. there's no "empty > > > > DS" in a delegation to tell a validator that a delegation isn't signed. > > > > > > Huh? There's an NSEC with no bit set for the DS RRset. Are you sure > > > you don't look at it when validating? I can't believe this. > > > > i am not sure, no. but the person who told me to worry about this is more > > of a dnssec protocol expert than me, and so i'd like others here to chime > > in on this question. > > I'm not understanding your original comment, either, Paul. A referral to > an unsigned delegation includes a signed NSEC with no DS bit as Florian > described, which is an unambiguous assertion that the delegation exists > and is unsigned. The situation is similar but not exactly the same in an > NSEC3/Opt-Out zone, where the NSEC3 record(s) prove only that the > delegation is unsigned. (I.e., it is possible to spoof an unsigned > delegation into existence in an Opt-Out zone.) so, a MiTM could in this case substitute different nameservers for the real ones and so this case (unsigned delegation) is not protected by DNSSEC. that's not news and it's not the end of the world. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 16:35:16 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DED013A6AE9; Mon, 11 May 2009 16:35:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.143 X-Spam-Level: X-Spam-Status: No, score=-2.143 tagged_above=-999 required=5 tests=[AWL=-0.413, BAYES_00=-2.599, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xDW8c+4y306; Mon, 11 May 2009 16:35:16 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 033B13A683E; Mon, 11 May 2009 16:35:16 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3ew1-0000Aq-Ds for namedroppers-data0@psg.com; Mon, 11 May 2009 23:29:25 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3evo-00009z-5t for namedroppers@ops.ietf.org; Mon, 11 May 2009 23:29:18 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id F21ECE601E; Mon, 11 May 2009 23:29:10 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4BNT3Iv040152; Tue, 12 May 2009 09:29:03 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905112329.n4BNT3Iv040152@drugs.dv.isc.org> To: Paul Vixie Cc: Florian Weimer , "W.C.A. Wijngaards" , bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-reply-to: Your message of "Mon, 11 May 2009 15:29:46 GMT." <85796.1242055786@nsa.vix.com> Date: Tue, 12 May 2009 09:29:03 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <85796.1242055786@nsa.vix.com>, Paul Vixie writes: > > sadly, the data in this case is not signed anywhere. there's no "empty DS" > in a delegation to tell a validator that a delegation isn't signed. the > way DNSSEC expresses an unsigned delegation is an NS RRset in the authority > section, which can be substituted by an kaminsky-inspired attacker. there > may not be any DNSSEC data at the child. so there's no way for a validator > to differentiate between a legitimate unsigned delegation, as against a > poisoned unsigned delegation designed to replace a legitimate > signed/unsigned delegation. If there is no DS then there *is* a NSEC/NSEC3 RRset which indicates the delegation isn't signed or is in a optout range. This is not to say the NS and glue address records in a delgation can't be spoofed. I have said before that the delegating NS RRset and glue records in a signed parent zone should also be signed. This allows the delegation to be validated before it is followed. This also allows for arbitary glue to be used and all possible delegation models to be supported as you now have a mechanism to chase back bad glue to the source. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 11 19:02:44 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BA373A6840; Mon, 11 May 2009 19:02:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.375 X-Spam-Level: X-Spam-Status: No, score=0.375 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrotQ98vpJz2; Mon, 11 May 2009 19:02:43 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 56EA73A67D7; Mon, 11 May 2009 19:02:43 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3hEE-0008Ih-Is for namedroppers-data0@psg.com; Tue, 12 May 2009 01:56:22 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3hE1-0008Hj-4R for namedroppers@ops.ietf.org; Tue, 12 May 2009 01:56:16 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4C1u6K6097200 for ; Mon, 11 May 2009 21:56:06 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4C1u6Zw097199 for namedroppers@ops.ietf.org; Mon, 11 May 2009 21:56:06 -0400 (EDT) (envelope-from namedroppers) Received: from [2001:7b8:206:1:0:1234:be21:e31e] (helo=bert.secret-wg.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3QxX-0001YA-LM for namedroppers@ops.ietf.org; Mon, 11 May 2009 08:34:11 +0000 Received: from bert.secret-wg.org (localhost [127.0.0.1]) by bert.secret-wg.org (Postfix) with ESMTP id D56C94AC05D; Mon, 11 May 2009 10:34:01 +0200 (CEST) Received: from guest-25.ripe.net (guest-25.ripe.net [193.0.2.25]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by bert.secret-wg.org (Postfix) with ESMTPSA id A95A64AC009; Mon, 11 May 2009 10:34:01 +0200 (CEST) Cc: bert hubert , Andrew Sullivan , namedroppers@ops.ietf.org Message-Id: <88A8F092-5CEB-4655-8843-DF48E0A0A513@secret-wg.org> From: Bert To: "W.C.A. Wijngaards" In-Reply-To: <4A07D802.9050400@nlnetlabs.nl> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-46--416858912" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Mon, 11 May 2009 10:33:49 +0200 References: <20090508181422.GH2372@shinkuro.com> <3efd34cc0905101319q604ec98ayb418a8f1f9d4889@mail.gmail.com> <4A07D802.9050400@nlnetlabs.nl> X-Pgp-Agent: GPGMail 1.2.0 (v56) X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: Bert scanned this mail with ClamAV using ClamSMTP X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-46--416858912 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit On 11 mei 2009, at 09:47, W.C.A. Wijngaards wrote: > But Bert does... --Bert's secretary http://bert.secret-wg.org/Root/ --Apple-Mail-46--416858912 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: This message is locally signed. iEYEARECAAYFAkoH4u0ACgkQvuHrq+mo51yxQACgi2uw0Ym6AFLZHerdkJK/vBgh i1IAn2cm2V1AHb4jLCG2mbfB08V6QSbE =prKj -----END PGP SIGNATURE----- --Apple-Mail-46--416858912-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 06:18:16 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B89E3A6E02; Tue, 12 May 2009 06:18:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.506 X-Spam-Level: X-Spam-Status: No, score=-4.506 tagged_above=-999 required=5 tests=[AWL=-1.256, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7Zp1YZMabTb; Tue, 12 May 2009 06:18:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 66D533A6824; Tue, 12 May 2009 06:18:15 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3rn8-0002Tl-78 for namedroppers-data0@psg.com; Tue, 12 May 2009 13:13:06 +0000 Received: from [81.91.160.182] (helo=office.denic.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3rmw-0002SL-AQ for namedroppers@ops.ietf.org; Tue, 12 May 2009 13:12:59 +0000 Received: from unknown.office.denic.de ([10.122.65.182]) by office.denic.de with esmtp id 1M3rmt-0007xU-Um; Tue, 12 May 2009 15:12:51 +0200 Received: by unknown.office.denic.de (Postfix, from userid 501) id D4012177F35; Tue, 12 May 2009 15:12:51 +0200 (CEST) Date: Tue, 12 May 2009 15:12:51 +0200 From: Peter Koch To: IETF DNSEXT WG Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? Message-ID: <20090512131251.GB5566@unknown.office.denic.de> References: <200904221507.n3MF7G6J047453@stora.ogud.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200904221507.n3MF7G6J047453@stora.ogud.com> User-Agent: Mutt/1.4.2.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, Apr 22, 2009 at 11:07:09AM -0400, Ólafur Guðmundsson /DNSEXT chair wrote: > The WG has received a request to adopt this as a work item. > See draft: > http://www.ietf.org/internet-drafts/draft-hubert-ulevitch-edns-ping-01.txt > > The current document falls under the "further Forgery Resilience" clause in > our charter. > > If we are going to debate the merits of this proposal, the chairs think > it is going to beneficial to all that we have a common understanding of > what the proposal is about and its implications. agreed. However, the draft asking for adoption does not enable the wg to make an informed decision because it is essentially free of any content. All important parts (judging from subsequent mailing list discussions) have been "intentionally left blank", where the only issue that should have been left open, is actually jumping ahead: the code point assignment. For this lack of base of discussion, I object to the adoption of this document as a working group item. In addition to many of the points Wouter has raised, I'd like to share my observation that I feel there is a recent trend that could be read as an end run to process by submitting as little information as theoretically possible for a code point assignment and leaving everything else to implementors. This worries me a lot, because the DNS is not only about packets going back and forth on Port 53, but also a large deployed infrastructure that deserves some extra thought. These operational considerations need to be an integral part of the specification as well as good guidance for the resolver implementor to avoid undesired changes to the swarm behaviour of today's resolver population. > Q1: Is ENDS0 Ping more expensive [1] than other EDNS0 options ? "Ping" is a misnomer since what seems to be tried here is the extension of the QID range. -Peter -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 06:43:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6415A3A6CF8; Tue, 12 May 2009 06:43:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.397 X-Spam-Level: X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[AWL=-1.708, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7vacBa6Bf9jK; Tue, 12 May 2009 06:43:40 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6323B3A69A1; Tue, 12 May 2009 06:43:40 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3sE3-0004Li-20 for namedroppers-data0@psg.com; Tue, 12 May 2009 13:40:55 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3sDq-0004JY-2t for namedroppers@ops.ietf.org; Tue, 12 May 2009 13:40:48 +0000 Received: from [0.0.0.0] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4CDeXgl003661; Tue, 12 May 2009 09:40:34 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: Date: Tue, 12 May 2009 09:40:17 -0400 To: namedroppers@ops.ietf.org From: Edward Lewis Subject: [dnsext] signing referral NSs and glue Cc: ed.lewis@neustar.biz Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: The is a conscious reason why NS sets from the parent and glue records aren't signed in DNSSEC. It is unnecessary. DNSSEC offers source authenticity and data integrity. DNSSEC does not guarantee answer receipt. If DNSSEC is to be augmented, a DDoS mitigation mechanism is the most needed companion. (If you assume IPSEC/TSIG/TKEY also is involved in last hop protection.) Note that DNSSEC does not "secure the DNS" if you mean "I ask and then I get the valid answer." DNSSEC only fends off the invalid answers. In a referral with DNSSEC, there are three parts to the message. One is the NS set provided as a hint from the parent. Two is the glue provided as a hint from the parent. And third is an signed, authoritative indication of the DNSSEC parameters for the child zone. The NS hint and glue are not sourced from the parent, hence not signed. (Remember, DNSSEC -> source authenticity; the parent is not the source). If these were signed, the debugging headache of stale glue would be magnified by the confused party seeing a temporally valid signature over the problem. It is true that if the NS set and the glue are entirely forged the client will not be able to get to the authentic data. As far as the design goal of DNSSEC, the goal of preventing invalid data is achieved by the forged source hints being unable to meet the parameters that the parent is the source of - the DS set contents or the NSEC[3] statement of no DNSSEC. I.e., the part of the referral that is DNSSEC protected is the DNSSEC parameters. If the forger has access to a private key that meets what's in the DS RR set, then the client will be duped - but DNSSEC assumes the private key is private and unguessable. If the child legitimately is not using DNSSEC, we have what we have today. The choice to fail dead (SERVFAIL) comes from the strict interpretation of security that emanated from the DNSSEC WG's being placed in the Security Area in the early 90's. If you wanted to DNSSEC to protect you from bad info, it did, no excuses. Beyond that, there are variations in the way DNSSEC is implemented that can make this drop-dead less precipitous. There are various coding choices that can be made. In the past years I have seen some I disagree with that are compliant with the RFCs but "could be better." I won't bother with specifics here, I mean to say that when considering what you see happen in DNSSEC, research whether it is a protocol element or code element that needs fixing. Security at first makes a working system brittle, the next step is to adjust security so that it doesn't break the system while security is protecting the system. The issue of signing referrals comes up every few years. What's been lost to history is that the parent's version of the child's NS set and the glue are just hints. The implementation BIND uses the hints to find the desired data but also does due diligence in parallel to cache the authoritative version of the referral data for future reference. Keeping in mind that the parent has hints and not the data, it's easier to understand why the referral NS and glue are not DNSSEC signed. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 08:17:58 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB8E73A6C83; Tue, 12 May 2009 08:17:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.247 X-Spam-Level: X-Spam-Status: No, score=-2.247 tagged_above=-999 required=5 tests=[AWL=0.352, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-VSVxtx2xtw; Tue, 12 May 2009 08:17:57 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 98F8F3A6CF8; Tue, 12 May 2009 08:17:57 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3tfy-000CXc-Gr for namedroppers-data0@psg.com; Tue, 12 May 2009 15:13:50 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3tfY-000CVM-5u for namedroppers@ops.ietf.org; Tue, 12 May 2009 15:13:42 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id AFA0DA1B5A for ; Tue, 12 May 2009 15:13:18 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: IETF DNSEXT WG Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? In-Reply-To: Your message of "Tue, 12 May 2009 15:12:51 +0200." <20090512131251.GB5566@unknown.office.denic.de> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Tue, 12 May 2009 15:13:18 +0000 Message-ID: <42739.1242141198@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Tue, 12 May 2009 15:12:51 +0200 > From: Peter Koch > ... > ... I object to the adoption of this document as a working group item. me too. > In addition to many of the points Wouter has raised, I'd like to share my > observation that I feel there is a recent trend that could be read as an > end run to process by submitting as little information as theoretically > possible for a code point assignment and leaving everything else to > implementors. This worries me a lot, because the DNS is not only about > packets going back and forth on Port 53, but also a large deployed > infrastructure that deserves some extra thought. These operational > considerations need to be an integral part of the specification as well > as good guidance for the resolver implementor to avoid undesired changes > to the swarm behaviour of today's resolver population. this is what we (ISC) did for DLV. we defined the RDATA because we didn't want to use a private type code, but we did not define the method of use, because i knew pretty well in advance that the DLV model wasn't going to be adopted by the WG. so i'm sympathetic to bert's position, even though i think PING is a bad idea for reasons i've stated several times. this WG seems to be a gatekeeper to prevent many things from getting into the DNS. someone who wants to give something a try is somewhat discouraged both at the outset and throughout. i think a heavier use of, and encouragement of, experimental track RFC's with an expectation that they may be upgraded to proposed standard later, would stop the "end runs" from happening around here. (SRV started on the experimental track if i recall correctly.) formal standards status no longer has any bearing on whether the whole internet ends up using some new protocol feature. RFC's are often written well after the fact. bert for example has said that he already has a small installed base for PING, and i know there's a small installed base for 0x20, and i know there's a moderate sized and growing installed base for DLV. do we want this WG to be in the position of preventing standards status for things that the crowd doesn't like, thus making the WG irrelevant? or would we rather be in the business of helping get new technologies developed and deployed? if the latter, then we're going to need an attitude adjustment. (note that my reasons for opposing PING are technical, not administrative; i'm against it because it has necessarily undefinable elements -- that is, because it is not correct and cannot be made correct by incremental protocol work or standards action -- and not because the internet draft doesn't say enough about how PING is to be used.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 11:36:38 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E3793A691B; Tue, 12 May 2009 11:36:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.216 X-Spam-Level: **** X-Spam-Status: No, score=4.216 tagged_above=-999 required=5 tests=[AWL=-1.179, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_BLUEYON=1.4, HELO_MISMATCH_UK=1.749, MIME_ASCII0=1.5, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhwg1PMNLrCP; Tue, 12 May 2009 11:36:37 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 32C523A6E7C; Tue, 12 May 2009 11:35:38 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3wkN-0003Uv-5d for namedroppers-data0@psg.com; Tue, 12 May 2009 18:30:35 +0000 Received: from [195.188.213.6] (helo=smtp-out3.blueyonder.co.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3wk0-0003T4-8X for namedroppers@ops.ietf.org; Tue, 12 May 2009 18:30:19 +0000 Received: from [172.23.170.137] (helo=anti-virus01-08) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1M3wjm-0007Sh-2z; Tue, 12 May 2009 19:29:58 +0100 Received: from [82.46.70.191] (helo=GeorgeLaptop) by asmtp-out3.blueyonder.co.uk with esmtpa (Exim 4.52) id 1M3wje-0000YO-Ck; Tue, 12 May 2009 19:29:50 +0100 Message-ID: From: "George Barwood" To: "Paul Vixie" , "IETF DNSEXT WG" References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? Date: Tue, 12 May 2009 19:29:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: SSBkb24ndCBzZWUgUElORyBhcyBpbmNvcnJlY3QuIA0KDQpJdCBtYXkgYmUgbW9yZSBob25lc3Qg dG8gY2FsbCBpdCAiRXh0ZW5kZWQgUXVlcnkgSWQiLg0KDQpUaGUgc2l0dWF0aW9uIGlzIHRoaXM6 DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEluLVBhdGggIEF0 dGFjayAgICAgICAgICAgICAgIE91dC1vZi1wYXRoIEF0dGFjaw0KUGxhaW4gRE5TIDE2LWJpdCBJ RCAgICAgICAgIFRyaXZpYWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgRWFzeSAgICAgICAg ICAgICAgICAgICAgICAgICANClBsYWluIEROUyAzMi1iaXQgSUQgICAgICAgICBUcml2aWFsICAg ICAgICAgICAgICAgICAgICAgICAgICAgIEhhcmQNClBsYWluIEROUyAxMjgtYml0IElEICAgICAg IFRyaXZpYWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmVyeSBIYXJkDQoNCkROU1NFQyAx Ni1iaXQgSUQgICAgICAgICAgIERPUyBUcml2aWFsICAgICAgICAgICAgICAgICAgRE9TIEVhc3kN CkROU1NFQyAzMi1iaXQgSUQgICAgICAgICAgIERPUyBUcml2aWFsICAgICAgICAgICAgICAgICAg RE9TIEhhcmQNCkROU1NFQyAxMjgtYml0IElEICAgICAgICAgRE9TIFRyaXZpYWwgICAgICAgICAg ICAgICAgICBET1MgVmVyeSBIYXJkDQoNCldpdGhvdXQgc29tZSBraW5kIG9mIFF1ZXJ5IElkLCBE TlNTRUMgaGFzIG5vIHByb3RlY3Rpb24gYWdhaW5zdCBPdXQtb2YtcGF0aCBET1MgYXR0YWNrcywg YW5kIHdvdWxkIGJlIHVzZWxlc3MuDQoNCkFuIEV4dGVuZGVkIFF1ZXJ5IElEIGdpdmVzIGZ1bGwg cHJvdGVjdGlvbiwgYW5kIGluIGEgY2xlYW5lciwgc3Ryb25nZXIsIGFuZCBtb3JlIHJlbGlhYmxl IHdheSB0aGFuIHNvdXJjZSBwb3J0IHJhbmRvbWl6YXRpb24uIEl0IGZpeGVzIHRoZSBvcmlnaW5h bCBjcnlwdG9ncmFwaGljIHdlYWtuZXNzIGluIHRoZSBwcm90b2NvbCwgbmFtZWx5IHRoYXQgdGhl IFF1ZXJ5IElkIGlzIG5vdCBsb25nIGVub3VnaC4NCg0KVGhpcyBzdHJlbmd0aGVucyBib3RoIFBs YWluIEROUyBhbmQgRE5TU0VDLCBhbmQgaW4gdGhlIGxvbmcgdGVybSBhbGxvd3MgYm90aCBwcm90 b2NvbHMgdG8gYmUgaW1wbGVtZW50ZWQgaW4gYSBzdHJhaWdodC1mb3J3YXJkIG1hbm5lciwgZXNw ZWNpYWxseSBmb3IgcmVjdXJzb3JzIHNpdHVhdGVkIGJlaGluZCBOQVQgZGV2aWNlcy4NCg0KR2Vv cmdlIEJhcndvb2QNCg0KLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0tLSANCkZyb206ICJQYXVs IFZpeGllIiA8dml4aWVAaXNjLm9yZz4NClRvOiAiSUVURiBETlNFWFQgV0ciIDxuYW1lZHJvcHBl cnNAb3BzLmlldGYub3JnPg0KU2VudDogVHVlc2RheSwgTWF5IDEyLCAyMDA5IDQ6MTMgUE0NClN1 YmplY3Q6IFJlOiBbZG5zZXh0XSBBZG9wdCBFRE5TMCBQaW5nLCBiZW5lZml0cyB2cyBkaXNhZHZh bnRhZ2VzID8gDQoNCg0KPiAobm90ZSB0aGF0IG15IHJlYXNvbnMgZm9yIG9wcG9zaW5nIFBJTkcg YXJlIHRlY2huaWNhbCwgbm90IGFkbWluaXN0cmF0aXZlOw0KPiBpJ20gYWdhaW5zdCBpdCBiZWNh dXNlIGl0IGhhcyBuZWNlc3NhcmlseSB1bmRlZmluYWJsZSBlbGVtZW50cyAtLSB0aGF0IGlzLA0K PiBiZWNhdXNlIGl0IGlzIG5vdCBjb3JyZWN0IGFuZCBjYW5ub3QgYmUgbWFkZSBjb3JyZWN0IGJ5 IGluY3JlbWVudGFsIHByb3RvY29sDQo+IHdvcmsgb3Igc3RhbmRhcmRzIGFjdGlvbiAtLSBhbmQg bm90IGJlY2F1c2UgdGhlIGludGVybmV0IGRyYWZ0IGRvZXNuJ3Qgc2F5DQo+IGVub3VnaCBhYm91 dCBob3cgUElORyBpcyB0byBiZSB1c2VkLikNCg0KLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0t LSANCkZyb206ICJQYXVsIFZpeGllIiA8dml4aWVAaXNjLm9yZz4NClRvOiAiSUVURiBETlNFWFQg V0ciIDxuYW1lZHJvcHBlcnNAb3BzLmlldGYub3JnPg0KU2VudDogVHVlc2RheSwgTWF5IDEyLCAy MDA5IDQ6MTMgUE0NClN1YmplY3Q6IFJlOiBbZG5zZXh0XSBBZG9wdCBFRE5TMCBQaW5nLCBiZW5l Zml0cyB2cyBkaXNhZHZhbnRhZ2VzID8gDQoNCg0KPj4gRGF0ZTogVHVlLCAxMiBNYXkgMjAwOSAx NToxMjo1MSArMDIwMA0KPj4gRnJvbTogUGV0ZXIgS29jaCA8cGtAREVOSUMuREU+DQo+PiAuLi4N Cj4+IC4uLiBJIG9iamVjdCB0byB0aGUgYWRvcHRpb24gb2YgdGhpcyBkb2N1bWVudCBhcyBhIHdv cmtpbmcgZ3JvdXAgaXRlbS4NCj4gDQo+IG1lIHRvby4NCj4gDQo+PiBJbiBhZGRpdGlvbiB0byBt YW55IG9mIHRoZSBwb2ludHMgV291dGVyIGhhcyByYWlzZWQsIEknZCBsaWtlIHRvIHNoYXJlIG15 DQo+PiBvYnNlcnZhdGlvbiB0aGF0IEkgZmVlbCB0aGVyZSBpcyBhIHJlY2VudCB0cmVuZCB0aGF0 IGNvdWxkIGJlIHJlYWQgYXMgYW4NCj4+IGVuZCBydW4gdG8gcHJvY2VzcyBieSBzdWJtaXR0aW5n IGFzIGxpdHRsZSBpbmZvcm1hdGlvbiBhcyB0aGVvcmV0aWNhbGx5DQo+PiBwb3NzaWJsZSBmb3Ig YSBjb2RlIHBvaW50IGFzc2lnbm1lbnQgYW5kIGxlYXZpbmcgZXZlcnl0aGluZyBlbHNlIHRvDQo+ PiBpbXBsZW1lbnRvcnMuICBUaGlzIHdvcnJpZXMgbWUgYSBsb3QsIGJlY2F1c2UgdGhlIEROUyBp cyBub3Qgb25seSBhYm91dA0KPj4gcGFja2V0cyBnb2luZyBiYWNrIGFuZCBmb3J0aCBvbiBQb3J0 IDUzLCBidXQgYWxzbyBhIGxhcmdlIGRlcGxveWVkDQo+PiBpbmZyYXN0cnVjdHVyZSB0aGF0IGRl c2VydmVzIHNvbWUgZXh0cmEgdGhvdWdodC4gIFRoZXNlIG9wZXJhdGlvbmFsDQo+PiBjb25zaWRl cmF0aW9ucyBuZWVkIHRvIGJlIGFuIGludGVncmFsIHBhcnQgb2YgdGhlIHNwZWNpZmljYXRpb24g YXMgd2VsbA0KPj4gYXMgZ29vZCBndWlkYW5jZSBmb3IgdGhlIHJlc29sdmVyIGltcGxlbWVudG9y IHRvIGF2b2lkIHVuZGVzaXJlZCBjaGFuZ2VzDQo+PiB0byB0aGUgc3dhcm0gYmVoYXZpb3VyIG9m IHRvZGF5J3MgcmVzb2x2ZXIgcG9wdWxhdGlvbi4NCj4gDQo+IHRoaXMgaXMgd2hhdCB3ZSAoSVND KSBkaWQgZm9yIERMVi4gIHdlIGRlZmluZWQgdGhlIFJEQVRBIGJlY2F1c2Ugd2UgZGlkbid0DQo+ IHdhbnQgdG8gdXNlIGEgcHJpdmF0ZSB0eXBlIGNvZGUsIGJ1dCB3ZSBkaWQgbm90IGRlZmluZSB0 aGUgbWV0aG9kIG9mIHVzZSwNCj4gYmVjYXVzZSBpIGtuZXcgcHJldHR5IHdlbGwgaW4gYWR2YW5j ZSB0aGF0IHRoZSBETFYgbW9kZWwgd2Fzbid0IGdvaW5nIHRvIGJlDQo+IGFkb3B0ZWQgYnkgdGhl IFdHLiAgc28gaSdtIHN5bXBhdGhldGljIHRvIGJlcnQncyBwb3NpdGlvbiwgZXZlbiB0aG91Z2gg aQ0KPiB0aGluayBQSU5HIGlzIGEgYmFkIGlkZWEgZm9yIHJlYXNvbnMgaSd2ZSBzdGF0ZWQgc2V2 ZXJhbCB0aW1lcy4gIHRoaXMgV0cNCj4gc2VlbXMgdG8gYmUgYSBnYXRla2VlcGVyIHRvIHByZXZl bnQgbWFueSB0aGluZ3MgZnJvbSBnZXR0aW5nIGludG8gdGhlIEROUy4NCj4gc29tZW9uZSB3aG8g d2FudHMgdG8gZ2l2ZSBzb21ldGhpbmcgYSB0cnkgaXMgc29tZXdoYXQgZGlzY291cmFnZWQgYm90 aCBhdA0KPiB0aGUgb3V0c2V0IGFuZCB0aHJvdWdob3V0LiAgaSB0aGluayBhIGhlYXZpZXIgdXNl IG9mLCBhbmQgZW5jb3VyYWdlbWVudCBvZiwNCj4gZXhwZXJpbWVudGFsIHRyYWNrIFJGQydzIHdp dGggYW4gZXhwZWN0YXRpb24gdGhhdCB0aGV5IG1heSBiZSB1cGdyYWRlZCB0bw0KPiBwcm9wb3Nl ZCBzdGFuZGFyZCBsYXRlciwgd291bGQgc3RvcCB0aGUgImVuZCBydW5zIiBmcm9tIGhhcHBlbmlu ZyBhcm91bmQNCj4gaGVyZS4gIChTUlYgc3RhcnRlZCBvbiB0aGUgZXhwZXJpbWVudGFsIHRyYWNr IGlmIGkgcmVjYWxsIGNvcnJlY3RseS4pDQo+IA0KPiBmb3JtYWwgc3RhbmRhcmRzIHN0YXR1cyBu byBsb25nZXIgaGFzIGFueSBiZWFyaW5nIG9uIHdoZXRoZXIgdGhlIHdob2xlDQo+IGludGVybmV0 IGVuZHMgdXAgdXNpbmcgc29tZSBuZXcgcHJvdG9jb2wgZmVhdHVyZS4gIFJGQydzIGFyZSBvZnRl biB3cml0dGVuDQo+IHdlbGwgYWZ0ZXIgdGhlIGZhY3QuICBiZXJ0IGZvciBleGFtcGxlIGhhcyBz YWlkIHRoYXQgaGUgYWxyZWFkeSBoYXMgYSBzbWFsbA0KPiBpbnN0YWxsZWQgYmFzZSBmb3IgUElO RywgYW5kIGkga25vdyB0aGVyZSdzIGEgc21hbGwgaW5zdGFsbGVkIGJhc2UgZm9yIDB4MjAsDQo+ IGFuZCBpIGtub3cgdGhlcmUncyBhIG1vZGVyYXRlIHNpemVkIGFuZCBncm93aW5nIGluc3RhbGxl ZCBiYXNlIGZvciBETFYuICBkbw0KPiB3ZSB3YW50IHRoaXMgV0cgdG8gYmUgaW4gdGhlIHBvc2l0 aW9uIG9mIHByZXZlbnRpbmcgc3RhbmRhcmRzIHN0YXR1cyBmb3INCj4gdGhpbmdzIHRoYXQgdGhl IGNyb3dkIGRvZXNuJ3QgbGlrZSwgdGh1cyBtYWtpbmcgdGhlIFdHIGlycmVsZXZhbnQ/ICBvciB3 b3VsZA0KPiB3ZSByYXRoZXIgYmUgaW4gdGhlIGJ1c2luZXNzIG9mIGhlbHBpbmcgZ2V0IG5ldyB0 ZWNobm9sb2dpZXMgZGV2ZWxvcGVkIGFuZA0KPiBkZXBsb3llZD8gIGlmIHRoZSBsYXR0ZXIsIHRo ZW4gd2UncmUgZ29pbmcgdG8gbmVlZCBhbiBhdHRpdHVkZSBhZGp1c3RtZW50Lg0KPiANCj4gKG5v dGUgdGhhdCBteSByZWFzb25zIGZvciBvcHBvc2luZyBQSU5HIGFyZSB0ZWNobmljYWwsIG5vdCBh ZG1pbmlzdHJhdGl2ZTsNCj4gaSdtIGFnYWluc3QgaXQgYmVjYXVzZSBpdCBoYXMgbmVjZXNzYXJp bHkgdW5kZWZpbmFibGUgZWxlbWVudHMgLS0gdGhhdCBpcywNCj4gYmVjYXVzZSBpdCBpcyBub3Qg Y29ycmVjdCBhbmQgY2Fubm90IGJlIG1hZGUgY29ycmVjdCBieSBpbmNyZW1lbnRhbCBwcm90b2Nv bA0KPiB3b3JrIG9yIHN0YW5kYXJkcyBhY3Rpb24gLS0gYW5kIG5vdCBiZWNhdXNlIHRoZSBpbnRl cm5ldCBkcmFmdCBkb2Vzbid0IHNheQ0KPiBlbm91Z2ggYWJvdXQgaG93IFBJTkcgaXMgdG8gYmUg dXNlZC4pDQo+IA0KPiAtLQ0KPiB0byB1bnN1YnNjcmliZSBzZW5kIGEgbWVzc2FnZSB0byBuYW1l ZHJvcHBlcnMtcmVxdWVzdEBvcHMuaWV0Zi5vcmcgd2l0aA0KPiB0aGUgd29yZCAndW5zdWJzY3Jp YmUnIGluIGEgc2luZ2xlIGxpbmUgYXMgdGhlIG1lc3NhZ2UgdGV4dCBib2R5Lg0KPiBhcmNoaXZl OiA8aHR0cDovL29wcy5pZXRmLm9yZy9saXN0cy9uYW1lZHJvcHBlcnMvPg0KPg== -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 11:38:53 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6B3F3A6E7C; Tue, 12 May 2009 11:38:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.1 X-Spam-Level: X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFiLLdY7aSWM; Tue, 12 May 2009 11:38:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CCE243A6B09; Tue, 12 May 2009 11:38:52 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3wod-0003oF-MH for namedroppers-data0@psg.com; Tue, 12 May 2009 18:34:59 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3woQ-0003nC-Sy for namedroppers@ops.ietf.org; Tue, 12 May 2009 18:34:53 +0000 Received: from crankycanuck.ca (171-32.static.golden.net [216.75.171.32]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 495302FE9582 for ; Tue, 12 May 2009 18:34:44 +0000 (UTC) Date: Tue, 12 May 2009 14:34:33 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? Message-ID: <20090512183432.GB1189@shinkuro.com> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42739.1242141198@nsa.vix.com> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 12, 2009 at 03:13:18PM +0000, Paul Vixie wrote: > this WG seems to be a gatekeeper to prevent many things from > getting into the DNS. My reading of our charter is that this is exactly what we're supposed to be doing: > The WG will limit itself to review of proposals for new extensions, > clarification to the DNS protocol, including DNSSEC, and review of > DNS protocol related work which may originate elsewhere in the IETF, > including AD-sponsored submissions or drafts in other working > groups. In other words, we're supposed to get new proposals _from elsewhere_, and then review them (which practically means "poke holes in"). This is an assumption on which I've been operating as a co-chair. I'm aware that this reading is not exactly welcoming or encouraging to people who want to put new things in the DNS. If we think that's a problem, we either need to change the WG charter or I have to revise my interpretation. I think my understanding is supported by that text, however, and it's sure consistent with what I remember from the Prague meeting where we put the WG "to sleep". A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 12:09:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB5C03A6953; Tue, 12 May 2009 12:09:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.283 X-Spam-Level: X-Spam-Status: No, score=-5.283 tagged_above=-999 required=5 tests=[AWL=-0.235, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLH1FfkgwVJO; Tue, 12 May 2009 12:09:09 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F30BD3A67B3; Tue, 12 May 2009 12:09:08 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3xII-0007ON-ED for namedroppers-data0@psg.com; Tue, 12 May 2009 19:05:38 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3xI5-0007N1-GB for namedroppers@ops.ietf.org; Tue, 12 May 2009 19:05:31 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4CJ5I9U001047; Tue, 12 May 2009 12:05:18 -0700 (PDT) From: Nicholas Weaver To: "George Barwood" In-Reply-To: Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? X-Priority: 3 References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Tue, 12 May 2009 12:05:18 -0700 Cc: Nicholas Weaver , "Paul Vixie" , "IETF DNSEXT WG" X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 12, 2009, at 11:29 AM, George Barwood wrote: > I don't see PING as incorrect. > > It may be more honest to call it "Extended Query Id". > > The situation is this: > > In-Path > Attack Out-of-path Attack > Plain DNS 16-bit ID Trivial Easy > Plain DNS 32-bit ID Trivial Hard > Plain DNS 128-bit ID Trivial Very > Hard > > DNSSEC 16-bit ID DOS Trivial DOS Easy > DNSSEC 32-bit ID DOS Trivial DOS Hard > DNSSEC 128-bit ID DOS Trivial DOS Very Hard > > Without some kind of Query Id, DNSSEC has no protection against Out- > of-path DOS attacks, and would be useless. > > An Extended Query ID gives full protection, and in a cleaner, > stronger, and more reliable way than source port randomization. It > fixes the original cryptographic weakness in the protocol, namely > that the Query Id is not long enough. > > This strengthens both Plain DNS and DNSSEC, and in the long term > allows both protocols to be implemented in a straight-forward > manner, especially for recursors situated behind NAT devices. I disagree. If out-of-path DOS becomes significant on DNSSEC, requerying mechanisms can be used. And requerying mechanisms are probably advisable anyway, if only to act as implicit notification to the authorities that something is wrong with their DNSSEC deployment. And 2^30 packets to DOS a name, even without requerying is, bah, a waste of packets. There are far, FAR better things to do. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 14:47:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8BF33A69FF; Tue, 12 May 2009 14:47:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.82 X-Spam-Level: **** X-Spam-Status: No, score=4.82 tagged_above=-999 required=5 tests=[AWL=-1.489, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_EQ_BLUEYON=1.4, HELO_MISMATCH_UK=1.749, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yj5MYqt3CARc; Tue, 12 May 2009 14:47:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7743C3A68FD; Tue, 12 May 2009 14:47:28 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3zkZ-000Kki-PD for namedroppers-data0@psg.com; Tue, 12 May 2009 21:42:59 +0000 Received: from [195.188.213.8] (helo=smtp-out5.blueyonder.co.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3zk4-000Khv-Ot for namedroppers@ops.ietf.org; Tue, 12 May 2009 21:42:47 +0000 Received: from [172.23.170.145] (helo=anti-virus03-08) by smtp-out5.blueyonder.co.uk with smtp (Exim 4.52) id 1M3zjv-00069m-Al; Tue, 12 May 2009 22:42:19 +0100 Received: from [82.46.70.191] (helo=GeorgeLaptop) by asmtp-out4.blueyonder.co.uk with esmtpa (Exim 4.52) id 1M3zjk-0007X9-SL; Tue, 12 May 2009 22:42:09 +0100 Message-ID: From: "George Barwood" To: "Nicholas Weaver" Cc: "Paul Vixie" , "IETF DNSEXT WG" References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? Date: Tue, 12 May 2009 22:42:04 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: SSBkb24ndCBkaXNwdXRlIHRoYXQgYnkgd3JpdGluZyBzdWZmaWNpZW50bHkgY29tcGxleCByZXNv bHZlci1zaWRlIHNvZnR3YXJlLCBpdCdzIHBvc3NpYmxlIHRvIHdvcmsgYXJvdW5kIHRoZSBkZWZp Y2llbmNpZXMgb2YgdGhlIDE2LWJpdCBJRC4NCg0KSG93ZXZlciBzdWNoIGNvbXBsZXhpdHkgaGFz IGl0J3Mgb3duIHJpc2tzLCBhbmQgaXQgZ29lcyBhZ2FpbnN0IGdvb2QgZW5naW5lZXJpbmcgcHJh Y3RpY2UgdG8gY29udGludWUgaW5kZWZpbml0ZWx5IHdpdGggYSBmbGF3ZWQgZGVzaWduIGlmIGEg c2ltcGxlIHJlbWVkeSBpcyBhdmFpbGFibGUuDQoNCk15IHBvaW50IHdhcyB0aGF0IGFuIGV4dGVu ZGVkIElEIHNob3VsZCBub3QgYmUgc2VlbiBhcyAiaW5jb3JyZWN0Ii4NCg0KQmVzaWRlcywgd2Ug YXJlIHRhbGtpbmcgYWJvdXQgMl4xNSBwYWNrZXRzIGluIHRoZSBjYXNlIEkgcmVmZXJyZWQgdG8s IHdoaWNoIGlzIGEgbm9uLUROU1NFQyBhd2FyZSBjYWNoZSBiZWhpbmQgYSBOQVQgZmlyZXdhbGws IHNlcnZpbmcgYSBETlNTRUMtdmFsaWRhdGluZyByZXNvbHZlciwgc28gdGhlcmUgYXJlIHByYWN0 aWNhbCBpc3N1ZXMgYXMgd2VsbC4NCg0KUmVxdWVyeWluZyBpcyBxdWl0ZSBjb21wbGV4LCB5b3Ug YmFzaWNhbGx5IGhhdmUgdG8gc3RvcCB1c2luZyB0aGUgY2FjaGUgY29tcGxldGVseSwgYmVjYXVz ZSB5b3UgY2Fubm90IGtub3cgYXQgd2hhdCBwb2ludCB0aGUgZGVsZWdhdGlvbiBoYXMgYmVlbiBo aWphY2tlZC4gVGhhdCBtZWFucyB0aGF0IHdyaXRpbmcgYSBETlNTRUMtdmFsaWRhdGluZyByZXNv bHZlciBiZWNvbWVzIHNpZ25pZmljYW50bHkgbW9yZSBjb21wbGV4LCBhbmQgdGhlIHJlcXVlcnlp bmcgYmVoYXZpb3IgY291bGQgYmVjb21lIHRoZSBiYXNpcyBmb3Igb3RoZXIgYXR0YWNrcy4NCg0K VGhhdCBtYXkgYmUgdGhlIHdvcmxkIHdlIGFyZSBmb3JjZWQgdG8gZW5kdXJlIGZvciB0aGUgbW9t ZW50LCBidXQgc3VyZWx5IGl0J3MgYmVzdCB0byBwbGFuIGZvciBhIGJldHRlciBmdXR1cmUuDQoN Ci0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0gDQpGcm9tOiAiTmljaG9sYXMgV2VhdmVyIiA8 bndlYXZlckBJQ1NJLkJlcmtlbGV5LkVEVT4NClRvOiAiR2VvcmdlIEJhcndvb2QiIDxnZW9yZ2Uu YmFyd29vZEBibHVleW9uZGVyLmNvLnVrPg0KQ2M6ICJOaWNob2xhcyBXZWF2ZXIiIDxud2VhdmVy QElDU0kuQmVya2VsZXkuRURVPjsgIlBhdWwgVml4aWUiIDx2aXhpZUBpc2Mub3JnPjsgIklFVEYg RE5TRVhUIFdHIiA8bmFtZWRyb3BwZXJzQG9wcy5pZXRmLm9yZz4NClNlbnQ6IFR1ZXNkYXksIE1h eSAxMiwgMjAwOSA4OjA1IFBNDQpTdWJqZWN0OiBSZTogW2Ruc2V4dF0gQWRvcHQgRUROUzAgUGlu ZywgYmVuZWZpdHMgdnMgZGlzYWR2YW50YWdlcyA/IA0KDQoNCj4gDQo+IE9uIE1heSAxMiwgMjAw OSwgYXQgMTE6MjkgQU0sIEdlb3JnZSBCYXJ3b29kIHdyb3RlOg0KPiANCj4+IEkgZG9uJ3Qgc2Vl IFBJTkcgYXMgaW5jb3JyZWN0Lg0KPj4NCj4+IEl0IG1heSBiZSBtb3JlIGhvbmVzdCB0byBjYWxs IGl0ICJFeHRlbmRlZCBRdWVyeSBJZCIuDQo+Pg0KPj4gVGhlIHNpdHVhdGlvbiBpcyB0aGlzOg0K Pj4NCj4+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSW4tUGF0aCAg IA0KPj4gQXR0YWNrICAgICAgICAgICAgICAgT3V0LW9mLXBhdGggQXR0YWNrDQo+PiBQbGFpbiBE TlMgMTYtYml0IElEICAgICAgICAgVHJpdmlhbCAgICAgICAgICAgICAgICAgICAgICAgICAgICBF YXN5DQo+PiBQbGFpbiBETlMgMzItYml0IElEICAgICAgICAgVHJpdmlhbCAgICAgICAgICAgICAg ICAgICAgICAgICAgICBIYXJkDQo+PiBQbGFpbiBETlMgMTI4LWJpdCBJRCAgICAgICBUcml2aWFs ICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnkgIA0KPj4gSGFyZA0KPj4NCj4+IEROU1NF QyAxNi1iaXQgSUQgICAgICAgICAgIERPUyBUcml2aWFsICAgICAgICAgICAgICAgICAgRE9TIEVh c3kNCj4+IEROU1NFQyAzMi1iaXQgSUQgICAgICAgICAgIERPUyBUcml2aWFsICAgICAgICAgICAg ICAgICAgRE9TIEhhcmQNCj4+IEROU1NFQyAxMjgtYml0IElEICAgICAgICAgRE9TIFRyaXZpYWwg ICAgICAgICAgICAgICAgICBET1MgVmVyeSBIYXJkDQo+Pg0KPj4gV2l0aG91dCBzb21lIGtpbmQg b2YgUXVlcnkgSWQsIEROU1NFQyBoYXMgbm8gcHJvdGVjdGlvbiBhZ2FpbnN0IE91dC0gDQo+PiBv Zi1wYXRoIERPUyBhdHRhY2tzLCBhbmQgd291bGQgYmUgdXNlbGVzcy4NCj4+DQo+PiBBbiBFeHRl bmRlZCBRdWVyeSBJRCBnaXZlcyBmdWxsIHByb3RlY3Rpb24sIGFuZCBpbiBhIGNsZWFuZXIsICAN Cj4+IHN0cm9uZ2VyLCBhbmQgbW9yZSByZWxpYWJsZSB3YXkgdGhhbiBzb3VyY2UgcG9ydCByYW5k b21pemF0aW9uLiBJdCAgDQo+PiBmaXhlcyB0aGUgb3JpZ2luYWwgY3J5cHRvZ3JhcGhpYyB3ZWFr bmVzcyBpbiB0aGUgcHJvdG9jb2wsIG5hbWVseSAgDQo+PiB0aGF0IHRoZSBRdWVyeSBJZCBpcyBu b3QgbG9uZyBlbm91Z2guDQo+Pg0KPj4gVGhpcyBzdHJlbmd0aGVucyBib3RoIFBsYWluIEROUyBh bmQgRE5TU0VDLCBhbmQgaW4gdGhlIGxvbmcgdGVybSAgDQo+PiBhbGxvd3MgYm90aCBwcm90b2Nv bHMgdG8gYmUgaW1wbGVtZW50ZWQgaW4gYSBzdHJhaWdodC1mb3J3YXJkICANCj4+IG1hbm5lciwg ZXNwZWNpYWxseSBmb3IgcmVjdXJzb3JzIHNpdHVhdGVkIGJlaGluZCBOQVQgZGV2aWNlcy4NCj4g DQo+IEkgZGlzYWdyZWUuICBJZiBvdXQtb2YtcGF0aCBET1MgYmVjb21lcyBzaWduaWZpY2FudCBv biBETlNTRUMsICANCj4gcmVxdWVyeWluZyBtZWNoYW5pc21zIGNhbiBiZSB1c2VkLiAgQW5kIHJl cXVlcnlpbmcgbWVjaGFuaXNtcyBhcmUgIA0KPiBwcm9iYWJseSBhZHZpc2FibGUgYW55d2F5LCBp ZiBvbmx5IHRvIGFjdCBhcyBpbXBsaWNpdCBub3RpZmljYXRpb24gdG8gIA0KPiB0aGUgYXV0aG9y aXRpZXMgdGhhdCBzb21ldGhpbmcgaXMgd3Jvbmcgd2l0aCB0aGVpciBETlNTRUMgZGVwbG95bWVu dC4NCj4gDQo+IA0KPiBBbmQgMl4zMCBwYWNrZXRzIHRvIERPUyBhIG5hbWUsIGV2ZW4gd2l0aG91 dCByZXF1ZXJ5aW5nIGlzLCBiYWgsIGEgIA0KPiB3YXN0ZSBvZiBwYWNrZXRzLiAgVGhlcmUgYXJl IGZhciwgRkFSIGJldHRlciB0aGluZ3MgdG8gZG8uDQo+IA0KPg0KLS0tLS0gT3JpZ2luYWwgTWVz c2FnZSAtLS0tLSANCkZyb206ICJOaWNob2xhcyBXZWF2ZXIiIDxud2VhdmVyQElDU0kuQmVya2Vs ZXkuRURVPg0KVG86ICJHZW9yZ2UgQmFyd29vZCIgPGdlb3JnZS5iYXJ3b29kQGJsdWV5b25kZXIu Y28udWs+DQpDYzogIk5pY2hvbGFzIFdlYXZlciIgPG53ZWF2ZXJASUNTSS5CZXJrZWxleS5FRFU+ OyAiUGF1bCBWaXhpZSIgPHZpeGllQGlzYy5vcmc+OyAiSUVURiBETlNFWFQgV0ciIDxuYW1lZHJv cHBlcnNAb3BzLmlldGYub3JnPg0KU2VudDogVHVlc2RheSwgTWF5IDEyLCAyMDA5IDg6MDUgUE0N ClN1YmplY3Q6IFJlOiBbZG5zZXh0XSBBZG9wdCBFRE5TMCBQaW5nLCBiZW5lZml0cyB2cyBkaXNh ZHZhbnRhZ2VzID8gDQoNCg0KPiANCj4gT24gTWF5IDEyLCAyMDA5LCBhdCAxMToyOSBBTSwgR2Vv cmdlIEJhcndvb2Qgd3JvdGU6DQo+IA0KPj4gSSBkb24ndCBzZWUgUElORyBhcyBpbmNvcnJlY3Qu DQo+Pg0KPj4gSXQgbWF5IGJlIG1vcmUgaG9uZXN0IHRvIGNhbGwgaXQgIkV4dGVuZGVkIFF1ZXJ5 IElkIi4NCj4+DQo+PiBUaGUgc2l0dWF0aW9uIGlzIHRoaXM6DQo+Pg0KPj4gICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbi1QYXRoICAgDQo+PiBBdHRhY2sgICAgICAg ICAgICAgICBPdXQtb2YtcGF0aCBBdHRhY2sNCj4+IFBsYWluIEROUyAxNi1iaXQgSUQgICAgICAg ICBUcml2aWFsICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVhc3kNCj4+IFBsYWluIEROUyAz Mi1iaXQgSUQgICAgICAgICBUcml2aWFsICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhhcmQN Cj4+IFBsYWluIEROUyAxMjgtYml0IElEICAgICAgIFRyaXZpYWwgICAgICAgICAgICAgICAgICAg ICAgICAgICAgVmVyeSAgDQo+PiBIYXJkDQo+Pg0KPj4gRE5TU0VDIDE2LWJpdCBJRCAgICAgICAg ICAgRE9TIFRyaXZpYWwgICAgICAgICAgICAgICAgICBET1MgRWFzeQ0KPj4gRE5TU0VDIDMyLWJp dCBJRCAgICAgICAgICAgRE9TIFRyaXZpYWwgICAgICAgICAgICAgICAgICBET1MgSGFyZA0KPj4g RE5TU0VDIDEyOC1iaXQgSUQgICAgICAgICBET1MgVHJpdmlhbCAgICAgICAgICAgICAgICAgIERP UyBWZXJ5IEhhcmQNCj4+DQo+PiBXaXRob3V0IHNvbWUga2luZCBvZiBRdWVyeSBJZCwgRE5TU0VD IGhhcyBubyBwcm90ZWN0aW9uIGFnYWluc3QgT3V0LSANCj4+IG9mLXBhdGggRE9TIGF0dGFja3Ms IGFuZCB3b3VsZCBiZSB1c2VsZXNzLg0KPj4NCj4+IEFuIEV4dGVuZGVkIFF1ZXJ5IElEIGdpdmVz IGZ1bGwgcHJvdGVjdGlvbiwgYW5kIGluIGEgY2xlYW5lciwgIA0KPj4gc3Ryb25nZXIsIGFuZCBt b3JlIHJlbGlhYmxlIHdheSB0aGFuIHNvdXJjZSBwb3J0IHJhbmRvbWl6YXRpb24uIEl0ICANCj4+ IGZpeGVzIHRoZSBvcmlnaW5hbCBjcnlwdG9ncmFwaGljIHdlYWtuZXNzIGluIHRoZSBwcm90b2Nv bCwgbmFtZWx5ICANCj4+IHRoYXQgdGhlIFF1ZXJ5IElkIGlzIG5vdCBsb25nIGVub3VnaC4NCj4+ DQo+PiBUaGlzIHN0cmVuZ3RoZW5zIGJvdGggUGxhaW4gRE5TIGFuZCBETlNTRUMsIGFuZCBpbiB0 aGUgbG9uZyB0ZXJtICANCj4+IGFsbG93cyBib3RoIHByb3RvY29scyB0byBiZSBpbXBsZW1lbnRl ZCBpbiBhIHN0cmFpZ2h0LWZvcndhcmQgIA0KPj4gbWFubmVyLCBlc3BlY2lhbGx5IGZvciByZWN1 cnNvcnMgc2l0dWF0ZWQgYmVoaW5kIE5BVCBkZXZpY2VzLg0KPiANCj4gSSBkaXNhZ3JlZS4gIElm IG91dC1vZi1wYXRoIERPUyBiZWNvbWVzIHNpZ25pZmljYW50IG9uIEROU1NFQywgIA0KPiByZXF1 ZXJ5aW5nIG1lY2hhbmlzbXMgY2FuIGJlIHVzZWQuICBBbmQgcmVxdWVyeWluZyBtZWNoYW5pc21z IGFyZSAgDQo+IHByb2JhYmx5IGFkdmlzYWJsZSBhbnl3YXksIGlmIG9ubHkgdG8gYWN0IGFzIGlt cGxpY2l0IG5vdGlmaWNhdGlvbiB0byAgDQo+IHRoZSBhdXRob3JpdGllcyB0aGF0IHNvbWV0aGlu ZyBpcyB3cm9uZyB3aXRoIHRoZWlyIEROU1NFQyBkZXBsb3ltZW50Lg0KPiANCj4gDQo+IEFuZCAy XjMwIHBhY2tldHMgdG8gRE9TIGEgbmFtZSwgZXZlbiB3aXRob3V0IHJlcXVlcnlpbmcgaXMsIGJh aCwgYSAgDQo+IHdhc3RlIG9mIHBhY2tldHMuICBUaGVyZSBhcmUgZmFyLCBGQVIgYmV0dGVyIHRo aW5ncyB0byBkby4NCj4gDQo+ -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 12 14:47:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66EB03A6BCF; Tue, 12 May 2009 14:47:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.27 X-Spam-Level: X-Spam-Status: No, score=-2.27 tagged_above=-999 required=5 tests=[AWL=0.329, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dn-HTiyZ0OH6; Tue, 12 May 2009 14:47:48 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 655093A68FD; Tue, 12 May 2009 14:47:48 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3znj-000Kyz-PG for namedroppers-data0@psg.com; Tue, 12 May 2009 21:46:15 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M3znV-000Kwu-V0 for namedroppers@ops.ietf.org; Tue, 12 May 2009 21:46:08 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 57E57A1BC4; Tue, 12 May 2009 21:45:56 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "George Barwood" cc: "Nicholas Weaver" , "IETF DNSEXT WG" Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? In-Reply-To: Your message of "Tue, 12 May 2009 22:42:04 +0100." References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Tue, 12 May 2009 21:45:56 +0000 Message-ID: <59007.1242164756@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: "George Barwood" > Date: Tue, 12 May 2009 22:42:04 +0100 > > My point was that an extended ID should not be seen as "incorrect". it is, because of the nature of EDNS0 itself, which cannot be used this way. i'm sure that a lot of wish that EDNS0 could be used this way, but wishing won't make it so, nor will repeated assertions to the contrary, nor faith, nor hope, nor charity. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 00:31:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86DAE3A6B8A; Wed, 13 May 2009 00:31:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.928 X-Spam-Level: X-Spam-Status: No, score=-105.928 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOAQFLQEPBRa; Wed, 13 May 2009 00:31:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 71D373A68DB; Wed, 13 May 2009 00:31:21 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M48qX-000IG9-FW for namedroppers-data0@psg.com; Wed, 13 May 2009 07:25:45 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M48qJ-000IFR-KS for namedroppers@ops.ietf.org; Wed, 13 May 2009 07:25:38 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 3BA191C00D3; Wed, 13 May 2009 09:25:30 +0200 (CEST) Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx2.nic.fr (Postfix) with ESMTP id 370811C001F; Wed, 13 May 2009 09:25:30 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay1.nic.fr (Postfix) with ESMTP id 35043A1D973; Wed, 13 May 2009 09:25:30 +0200 (CEST) Date: Wed, 13 May 2009 09:25:30 +0200 From: Stephane Bortzmeyer To: Peter Koch Cc: IETF DNSEXT WG Subject: [dnsext] Re: Adopt EDNS0 Ping, benefits vs disadvantages ? Message-ID: <20090513072530.GA4651@nic.fr> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090512131251.GB5566@unknown.office.denic.de> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 12, 2009 at 03:12:51PM +0200, Peter Koch wrote a message of 40 lines which said: > In addition to many of the points Wouter has raised, I'd like to > share my observation that I feel there is a recent trend that could > be read as an end run to process by submitting as little information > as theoretically possible for a code point assignment and leaving > everything else to implementors. Hold on, there is a strong need here for a message by the chairs of the WG. Because another proposal for an extended Query ID space, DNS cookies, draft-eastlake-dnsext-cookies, was put down for precisely the opposite reason, because it was too detailed on practical use and operational issues. Unlike cookies, the EDNS0-ping proposal, draft-hubert-ulevitch-edns-ping, ON PURPOSE, tried to stay away from these issues (see also Paul Vixie's excellent comparison with DLV). So, we need a clear guidance to the people who try to bring new work to this WG: are they welcome to provide "as little information as theoretically possible" or should they go in great details about the USE of the new technique? In the last case, I ask for the adoption of draft-eastlake-dnsext-cookies by this WG as a work item. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 00:31:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A8AC3A69A2; Wed, 13 May 2009 00:31:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvholiUIzHYt; Wed, 13 May 2009 00:31:40 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1F7B23A6856; Wed, 13 May 2009 00:31:40 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M48ts-000ISV-GL for namedroppers-data0@psg.com; Wed, 13 May 2009 07:29:12 +0000 Received: from [74.125.78.26] (helo=ey-out-2122.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M48tg-000IRK-PW for namedroppers@ops.ietf.org; Wed, 13 May 2009 07:29:06 +0000 Received: by ey-out-2122.google.com with SMTP id d26so149472eyd.65 for ; Wed, 13 May 2009 00:28:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=S7cU+oJ0Kp+mUuIO7X6REsbQa7870RrweJuMOulQzXA=; b=WbRll4DHqMlGeW8qDrjzlBREM3eB/peskS1maGtEev7y5vBqXBxMKHqnkuGD4Yd8EZ hJMZIyVKmi2PaFMpBq3J+U6/jePnlGY3Ssn5Fmwk1aO9MXwiw8+l2Jlnzg7eOuAGVXom 2vWAn8+wsKOmA/Ep6HZY6Dt7X590Jy6VkX7RA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=vsmIFnEHNTFx8iux2QSYlGSCysEvTBDOq1vy7s56CnxVs7Y+ybtpuiTW77DBM3zUKC H3zyos2QhOK+NApoYj2NycNi1sHU+5ihJ9IyzU4UkE8tNAynvIA6yLTzah+yBxDTqfFt fkCunVIlWr2JPDX8wbgkF42UIjmWUddFmDkkc= MIME-Version: 1.0 Received: by 10.210.81.10 with SMTP id e10mr5989519ebb.89.1242199739082; Wed, 13 May 2009 00:28:59 -0700 (PDT) In-Reply-To: <59007.1242164756@nsa.vix.com> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> <59007.1242164756@nsa.vix.com> From: bert hubert Date: Wed, 13 May 2009 09:28:39 +0200 Message-ID: <3efd34cc0905130028q161edc1eh2c2c9b2614e7cb5f@mail.gmail.com> Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? To: Paul Vixie Cc: George Barwood , Nicholas Weaver , IETF DNSEXT WG Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 12, 2009 at 11:45 PM, Paul Vixie wrote: >> From: "George Barwood" >> Date: Tue, 12 May 2009 22:42:04 +0100 >> >> My point was that an extended ID should not be seen as "incorrect". > > it is, because of the nature of EDNS0 itself, which cannot be used this way. > i'm sure that a lot of wish that EDNS0 could be used this way, but wishing > won't make it so, nor will repeated assertions to the contrary, nor faith, > nor hope, nor charity. Saying that it ain't so also does not make it not so. Please clarify why it does not help. As stated before, repeatedly, significant percentages of queries can already benefit from EDNS ping. The goal is not 'complete and total security for everyone', but a significant boost for every server that participates. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 01:01:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D53043A6874; Wed, 13 May 2009 01:01:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.465 X-Spam-Level: X-Spam-Status: No, score=-0.465 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b646qSic5u0o; Wed, 13 May 2009 01:01:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9F7FF3A68C8; Wed, 13 May 2009 01:00:55 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M49M2-000Kgs-Tl for namedroppers-data0@psg.com; Wed, 13 May 2009 07:58:18 +0000 Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M49Lq-000Kfz-Nz for namedroppers@ops.ietf.org; Wed, 13 May 2009 07:58:12 +0000 Received: by ewy4 with SMTP id 4so570851ewy.41 for ; Wed, 13 May 2009 00:58:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=An9l7HcbJ/oblKUMl+l13eyuv4MFg3g5lmAReZHCaJA=; b=r27NeFYPELtHToWwUXsqyRWeLpSQkmXvkkc00HRpfPq7f+vBGUcQ/BPHZ1CgqKvhhJ LO6f9SlMC9hsehFkG5W/COD61tFs05KtJO4Vl6ndy3JIQudui1qT+YCP3JNYLGEFEwDb KANp3kU3q+d6t6LG72FIju6FEPVzqqmVEjrj0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=RdLt/0gqUm95U9Dc51BgaTpxCul7uX3j133bVxZygE2+7Z2gy7ecpE9ToPTUvaCrvx RrqIJbMKQVOih7RL6Y/OXxnZ/2XA37z3HEx5aPzTxe4T7mqx2v4DmHjs58EvvZdeM4Dy oa8kgbMttyOuLA64qHHLZLFopbVw0OsIu3hUo= MIME-Version: 1.0 Received: by 10.210.28.4 with SMTP id b4mr1099849ebb.94.1242201479125; Wed, 13 May 2009 00:57:59 -0700 (PDT) In-Reply-To: <20090513072530.GA4651@nic.fr> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <20090513072530.GA4651@nic.fr> From: bert hubert Date: Wed, 13 May 2009 09:57:39 +0200 Message-ID: <3efd34cc0905130057v19cc0419p4bf850de9d2e8744@mail.gmail.com> Subject: Re: [dnsext] Re: Adopt EDNS0 Ping, benefits vs disadvantages ? To: Stephane Bortzmeyer Cc: Peter Koch , IETF DNSEXT WG Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, May 13, 2009 at 9:25 AM, Stephane Bortzmeyer wrote: > So, we need a clear guidance to the people who try to bring new work > to this WG: are they welcome to provide "as little information as > theoretically possible" or should they go in great details about the > USE of the new technique? In the last case, I ask for the adoption of > draft-eastlake-dnsext-cookies by this WG as a work item. If one major DNS vendor ('ISC' for example) were to commit to implementing Donald's cookies, and if with another (PowerDNS, say) we can work out the kinks while it is in the draft stage, it would be superior to anything currently on the table. My main objection to draft-eastlake-dnsext-cookies is that it is eminently 'sinkable' by going into detail. So this is more of an objection to the current WG climate than to the content. But by themselves, the dns cookies are in my view almost optimal for DNS security in the coming few years. EDNS-PING was written simply because I think it is the optimum between raising DNS security AND standing a chance to be adopted. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 06:57:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2027B3A6FC0; Wed, 13 May 2009 06:57:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.291 X-Spam-Level: X-Spam-Status: No, score=-2.291 tagged_above=-999 required=5 tests=[AWL=0.308, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4dJs4KZJA3D; Wed, 13 May 2009 06:57:32 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 10C883A6FBD; Wed, 13 May 2009 06:57:31 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Erf-000Nk3-LM for namedroppers-data0@psg.com; Wed, 13 May 2009 13:51:19 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4ErQ-000Nhg-Cb for namedroppers@ops.ietf.org; Wed, 13 May 2009 13:51:10 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 56190A1D28 for ; Wed, 13 May 2009 13:51:03 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: IETF DNSEXT WG Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? In-Reply-To: Your message of "Wed, 13 May 2009 09:28:39 +0200." <3efd34cc0905130028q161edc1eh2c2c9b2614e7cb5f@mail.gmail.com> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> <59007.1242164756@nsa.vix.com> <3efd34cc0905130028q161edc1eh2c2c9b2614e7cb5f@mail.gmail.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Wed, 13 May 2009 13:51:03 +0000 Message-ID: <96808.1242222663@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: bert hubert > Date: Wed, 13 May 2009 09:28:39 +0200 > > Saying that it ain't so also does not make it not so. i've explained the reasons. shall i keep repeating those even though neither you nor george barwood has shown any interest in the details? > Please clarify why it does not help. As stated before, repeatedly, > significant percentages of queries can already benefit from EDNS ping. > The goal is not 'complete and total security for everyone', but a > significant boost for every server that participates. my objection is to the impedence mismatch between extended QID and EDNS, which precludes usefulness. i wanted extended QID inside EDNS itself -- my original planned use for the OPT TTL was to make it the high order bits of a 48-bit QID. it won't work, for reasons you and george barwood have been told repeatedly. extended QID in EDNS is a layering violation. "works in lab" is a very different thing than "works in whole internet". -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 07:13:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6B853A697D; Wed, 13 May 2009 07:13:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.309 X-Spam-Level: X-Spam-Status: No, score=-2.309 tagged_above=-999 required=5 tests=[AWL=0.290, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOtDnO1VjpT0; Wed, 13 May 2009 07:13:32 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AF4403A68FE; Wed, 13 May 2009 07:13:32 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4FA8-000PXS-39 for namedroppers-data0@psg.com; Wed, 13 May 2009 14:10:24 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4F9u-000PVO-I8 for namedroppers@ops.ietf.org; Wed, 13 May 2009 14:10:16 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 1F378A1D28 for ; Wed, 13 May 2009 14:10:05 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: IETF DNSEXT WG Subject: [dnsext] RFC 2930 (and 2931) can do what we seem to want/need here In-Reply-To: Your message of "Wed, 13 May 2009 09:57:39 +0200." <3efd34cc0905130057v19cc0419p4bf850de9d2e8744@mail.gmail.com> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <20090513072530.GA4651@nic.fr> <3efd34cc0905130057v19cc0419p4bf850de9d2e8744@mail.gmail.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Wed, 13 May 2009 14:10:05 +0000 Message-ID: <97544.1242223805@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: bert hubert > Date: Wed, 13 May 2009 09:57:39 +0200 > > If one major DNS vendor ('ISC' for example) were to commit to > implementing Donald's cookies, and if with another (PowerDNS, say) we can > work out the kinks while it is in the draft stage, it would be superior > to anything currently on the table. we already have a protocol (also writ by donald eastlake) that can do this, if we're willing to keep state between recursives and authorities: RFC 2930 (TKEY) section 4.1 (Query for Diffie-Hellman Exchanged Keying), followed by TSIG. RFC 2930 seems to prohibit this use profile in section 3 which reads: Except for GSS-API mode, TKEY responses MUST always have DNS transaction authentication to protect the integrity of any keying data, error codes, etc. This authentication MUST use a previously established secret (TSIG) or public (SIG(0) [RFC 2931]) key and MUST NOT use any key that the response to be verified is itself providing. TKEY queries MUST be authenticated for all modes except GSS-API and, under some circumstances, server assignment mode. In particular, if the query for a server assigned key is for a key to assert some privilege, such as update authority, then the query must be authenticated to avoid spoofing. [However, if the key is just to be used for transaction security, then spoofing will lead at worst to denial of service.] Query authentication SHOULD use an established secret (TSIG) key authenticator if available. Otherwise, it must use a public (SIG(0)) key signature. It MUST NOT use any key that the query is itself providing. i have highlighted the statement which i think governs our situation: However, if the key is just to be used for transaction security, then spoofing will lead at worst to denial of service. i am comfortable with a DoS vector in TKEY-DH since these will be rare and they are not repeatably/remotely triggerable (so, there's no race until win a la kaminsky.) and most important compared to any extended QID proposal is that the downgrade impedence matches EDNS's downgrade impedence. if TKEY-DH fails, which can be because EDNS fails, then this recursive<->authority relationship simply won't be secured by TKEY-DH and TSIG. in terms of WG action a short two-page use profile explaining how to use TKEY-DH and TSIG to achieve greated hop-by-hop security is all we'd need. (this document could also explicitly relax the spoofing concerns quoted above from RFC 2930 when TKEY-DH is to be used only for QUERY TSIG.) this is the least controversial and most workable proposal on the table, and i request that the WG chairs please sweep all other alternatives including the dagon/vixie dns-0x20 one into the rubbish bin so that we can get focused. and note that for secure delegations to unsecure zones, RFC 2931 applies. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 08:20:02 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4AFD53A6E0A; Wed, 13 May 2009 08:20:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.062 X-Spam-Level: X-Spam-Status: No, score=-1.062 tagged_above=-999 required=5 tests=[AWL=-0.867, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4CEk4HD4aGUZ; Wed, 13 May 2009 08:20:01 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 35C053A6D32; Wed, 13 May 2009 08:20:01 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GAz-0006C3-Tu for namedroppers-data0@psg.com; Wed, 13 May 2009 15:15:21 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GAn-00069d-78 for namedroppers@ops.ietf.org; Wed, 13 May 2009 15:15:15 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4DFF2ML003766; Wed, 13 May 2009 11:15:02 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905131515.n4DFF2ML003766@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 13 May 2009 11:14:34 -0400 To: Stephane Bortzmeyer From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: Re: [dnsext] Re: Adopt EDNS0 Ping, benefits vs disadvantages ? Cc: IETF DNSEXT WG In-Reply-To: <20090513072530.GA4651@nic.fr> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <20090513072530.GA4651@nic.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 03:25 13/05/2009, Stephane Bortzmeyer wrote: >On Tue, May 12, 2009 at 03:12:51PM +0200, > Peter Koch wrote > a message of 40 lines which said: > > > In addition to many of the points Wouter has raised, I'd like to > > share my observation that I feel there is a recent trend that could > > be read as an end run to process by submitting as little information > > as theoretically possible for a code point assignment and leaving > > everything else to implementors. > >Hold on, there is a strong need here for a message by the chairs of >the WG. Because another proposal for an extended Query ID space, DNS >cookies, draft-eastlake-dnsext-cookies, was put down for precisely the >opposite reason, because it was too detailed on practical use and >operational issues. Unlike cookies, the EDNS0-ping proposal, >draft-hubert-ulevitch-edns-ping, ON PURPOSE, tried to stay away from >these issues (see also Paul Vixie's excellent comparison with DLV). > >So, we need a clear guidance to the people who try to bring new work >to this WG: are they welcome to provide "as little information as >theoretically possible" or should they go in great details about the >USE of the new technique? In the last case, I ask for the adoption of >draft-eastlake-dnsext-cookies by this WG as a work item. We (Chairs) never formally asked the WG if the cookies document should be adopted. The feeling the chairs got from the DNSEXT meetings and mailing list was that number of people did not like the fact the proposal required a state on servers and the draft did not address how to share state on anycast clusters. ENDS0 Ping avoids the state on servers thus it works "better" with anycast clusters, with weaker security association. Bert will the first to report that I have hammered him hard, in private, for the "loose writing style" of the draft. The draft as it stands now expresses an idea with details to be worked out. The WG can decide to accept an rough idea for a document, but make it conditional on certain changes before gaining WG status. Once a document becomes a WG document the editors serve at the pleasure of the chairs, who monitor that the document reflects suggestions and consensus. Below is our standard blurb to prospective editors for DNSEXT documents: ---------- Editors send preview copy of new drafts to chair(s), chair(s) either send pre approval message to drafts-administrator or editorial comments to editor. Editors are responsible for keeping track of discussions and changes suggested/requested. Editors serve at the pleasure of the chair and can be removed for non performance or counter-productive behavior. Chair(s) serve as final arbitrators of WG consensus. ----------- Olafur -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 08:25:35 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9E263A6C06; Wed, 13 May 2009 08:25:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.178 X-Spam-Level: X-Spam-Status: No, score=-0.178 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzpaZQnS3Bsi; Wed, 13 May 2009 08:25:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A9B043A6D22; Wed, 13 May 2009 08:25:26 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GIj-00073P-6o for namedroppers-data0@psg.com; Wed, 13 May 2009 15:23:21 +0000 Received: from [199.212.90.4] (helo=monster.hopcount.ca) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GHs-0006xg-Dd for namedroppers@ops.ietf.org; Wed, 13 May 2009 15:22:50 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=hopcount.ca; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=Xs2cKBtTbQclYBL/IXvPJvppi6jqvYuLTlbY4v9rZpd4+t/gN0xYQiB810OtDncuxTUgIvJlx8i98IW0Pn1u443HtN14In9d1eoF5Zx/WbVaf2ws9fTqPs2CJv9QkeQ6; Received: from [84.205.97.124] (helo=[10.0.0.57]) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GGV-000E0Q-TU; Wed, 13 May 2009 15:21:04 +0000 Cc: Nicholas Weaver , Andrew Sullivan , namedroppers@ops.ietf.org Message-Id: <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> From: Joe Abley To: Florian Weimer In-Reply-To: <82ab5jpyrm.fsf@mid.bfk.de> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Wed, 13 May 2009 18:21:00 +0300 References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 11-May-2009, at 16:14, Florian Weimer wrote: > * Nicholas Weaver: > >> I can see such an argument against EDNS0-ping, but what is your >> argument against 0x20? > > Among other things, it only adds two bits of security for ccTLDs, and > zero bits for the root. This is only true if the QNAME is only . or . Spoofing responses for those names is a concern, but I would posit that those queries are pretty rare for most resolvers. Much more likely that someone is looking for ticketmaster.ca. than just ca. or just ".". 0x20 adds as many bits as their are characters in all labels of the QNAME. > In fact, I fear that EDNS0 PING is easier to implement. ENDS0 ping has the potential to expose a wide user base for whom either EDNS0 or a network which doesn't make 20-year-old inferences from the size of a UDP DNS packet (or both) are not available. Shane and I once did some work on coming up with some real-world metrics for EDNS0 support, but we got distracted and didn't follow up. We should do that. I don't know how to measure the impact of broken firewalls, but I'd really like to. Joe -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 08:47:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B9343A68D4; Wed, 13 May 2009 08:47:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.107 X-Spam-Level: * X-Spam-Status: No, score=1.107 tagged_above=-999 required=5 tests=[AWL=-0.513, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-hj8xcigprA; Wed, 13 May 2009 08:47:32 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9A72328C16B; Wed, 13 May 2009 08:45:46 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Gbg-0008uR-Pi for namedroppers-data0@psg.com; Wed, 13 May 2009 15:42:56 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GbU-0008rb-OX for namedroppers@ops.ietf.org; Wed, 13 May 2009 15:42:50 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M4GbU-0007y5-RF; Wed, 13 May 2009 17:42:44 +0200 Received: from fweimer by bfk.de with local id 1M4GbF-0007st-7I; Wed, 13 May 2009 17:42:30 +0200 To: Joe Abley Cc: Nicholas Weaver , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> From: Florian Weimer Date: Wed, 13 May 2009 17:42:28 +0200 In-Reply-To: <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> (Joe Abley's message of "Wed, 13 May 2009 18:21:00 +0300") Message-ID: <82preddn6j.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Joe Abley: > On 11-May-2009, at 16:14, Florian Weimer wrote: > >> * Nicholas Weaver: >> >>> I can see such an argument against EDNS0-ping, but what is your >>> argument against 0x20? >> >> Among other things, it only adds two bits of security for ccTLDs, and >> zero bits for the root. > > This is only true if the QNAME is only . or . There's also 123. or 1234.EXAMPLE. Unfortunately, there's an unlimited supply of those names. > Spoofing responses for those names is a concern, but I would posit > that those queries are pretty rare for most resolvers. Much more > likely that someone is looking for ticketmaster.ca. than just ca. or > just ".". 0x20 adds as many bits as their are characters in all labels > of the QNAME. You also need to protect against bad data in the authority and additional sections of a response to 12345.EXAMPLE. This is the part which is hard to implement. It makes some sense to do this even without 0x20 because it prevents a particular style of TTL evasion, and Unbound already does this (I think---perhaps not by default). Other resolvers don't. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 08:50:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3F053A68D4; Wed, 13 May 2009 08:50:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.178 X-Spam-Level: X-Spam-Status: No, score=-0.178 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiHf3Ibe-dVl; Wed, 13 May 2009 08:50:29 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 920F03A6BA2; Wed, 13 May 2009 08:50:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GhR-0009XJ-PT for namedroppers-data0@psg.com; Wed, 13 May 2009 15:48:53 +0000 Received: from [199.212.90.4] (helo=monster.hopcount.ca) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GhF-0009Vi-3m for namedroppers@ops.ietf.org; Wed, 13 May 2009 15:48:47 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=hopcount.ca; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=s28CA8hZloReJITtSXp7rrn7ArpYah4FMVjcSMx+uYwdUyp0sSNIM0zN+cO7U7lkWPQnwlGbGIr7hhoKssmEfG+QmxcK7ngNAullLyYiYDRQbmR37zkncPMTZyEzJ/C2; Received: from [84.205.97.124] (helo=[10.0.0.57]) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Gh7-000ENe-WE; Wed, 13 May 2009 15:48:34 +0000 Cc: Nicholas Weaver , Andrew Sullivan , namedroppers@ops.ietf.org Message-Id: <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> From: Joe Abley To: Florian Weimer In-Reply-To: <82preddn6j.fsf@mid.bfk.de> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Wed, 13 May 2009 18:48:31 +0300 References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 13-May-2009, at 18:42, Florian Weimer wrote: > There's also 123. or 1234.EXAMPLE. Unfortunately, there's an > unlimited supply of those names. So are you saying that there's no point specifying something unless it will surpass a threshold of usefulness for all possible QNAMEs? Or are you saying that most QNAMEs are numeric, or otherwise don't benefit from 0x20? Or something else? Just trying to understand your objection. Joe -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 08:58:40 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE26B3A6A7A; Wed, 13 May 2009 08:58:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.73 X-Spam-Level: X-Spam-Status: No, score=-101.73 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCxur6fvJQiP; Wed, 13 May 2009 08:58:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BA4033A684A; Wed, 13 May 2009 08:58:39 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GoS-000AHa-Hw for namedroppers-data0@psg.com; Wed, 13 May 2009 15:56:08 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GoC-000AFn-Ia for namedroppers@ops.ietf.org; Wed, 13 May 2009 15:55:59 +0000 Received: from [IPv6:2001:610:719:1:224:8cff:fe33:564a] (unknown [IPv6:2001:610:719:1:224:8cff:fe33:564a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id 2A29EE602F; Wed, 13 May 2009 15:55:50 +0000 (UTC) (envelope-from shane_kerr@isc.org) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm From: Shane Kerr To: Joe Abley Cc: namedroppers@ops.ietf.org In-Reply-To: <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> Content-Type: text/plain Organization: ISC Date: Wed, 13 May 2009 17:55:48 +0200 Message-Id: <1242230148.8625.2914.camel@shane-asus-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.26.1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: All, On Wed, 2009-05-13 at 18:21 +0300, Joe Abley wrote: > ENDS0 ping has the potential to expose a wide user base for whom > either EDNS0 or a network which doesn't make 20-year-old inferences > from the size of a UDP DNS packet (or both) are not available. > > Shane and I once did some work on coming up with some real-world > metrics for EDNS0 support, but we got distracted and didn't follow up. > We should do that. Oh yeah. :) We did see that most name servers supported EDNS0, but only about half of the domains did. My wild-ass-guess is that lots of people hosting lots of domains use can't fit them in RAM, so they use either tinydns or home-brew software, neither of which are likely to implement something as modern as EDNS0. > I don't know how to measure the impact of broken firewalls, but I'd > really like to. We could do something like putting an image on a popular web page (perhaps icann.org) which is something like: http://www.edns0-domain.icann.org/0.jpg The edns0-domain.icann.org site could be delegated like this: edns0-domain.icann.org. NS ns1.edns0-only.info. NS ns2.edns0-only.info. We could then set up ns[12].edns-only.info to *only* answer queries with EDNS0 enabled. Then we measure the number of HTML pages retrieved, and the number of JPG retrieved. We can can also throw a JPG from a site that does not require EDNS0, for comparison. This would give some rough indication of the impact of EDNS0 in the real world. Just an idea. :-P -- Shane -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 09:02:04 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C2D23A699E; Wed, 13 May 2009 09:02:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.124 X-Spam-Level: * X-Spam-Status: No, score=1.124 tagged_above=-999 required=5 tests=[AWL=-0.496, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fEzjp9Xiheme; Wed, 13 May 2009 09:02:03 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 36DA23A68CC; Wed, 13 May 2009 09:02:03 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GsC-000AaC-4c for namedroppers-data0@psg.com; Wed, 13 May 2009 16:00:00 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Gru-000AZ8-LB for namedroppers@ops.ietf.org; Wed, 13 May 2009 15:59:53 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M4Grz-0001k4-9R; Wed, 13 May 2009 17:59:47 +0200 Received: from fweimer by bfk.de with local id 1M4Gro-0002Z3-HD; Wed, 13 May 2009 17:59:36 +0200 To: Joe Abley Cc: Nicholas Weaver , Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> From: Florian Weimer Date: Wed, 13 May 2009 17:59:36 +0200 In-Reply-To: <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> (Joe Abley's message of "Wed, 13 May 2009 18:48:31 +0300") Message-ID: <82ab5hdmdz.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Joe Abley: > On 13-May-2009, at 18:42, Florian Weimer wrote: > >> There's also 123. or 1234.EXAMPLE. Unfortunately, there's an >> unlimited supply of those names. > > So are you saying that there's no point specifying something unless it > will surpass a threshold of usefulness for all possible QNAMEs? A succesfull attack piggybacked on 1234.EXAMPLE. also affects BIGCORP.EXAMPLE., not just 1234.EXAMPLE. and its children. Something like this: ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40853 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;1234.example. IN A ;; ANSWER SECTION: 1234.example. 172800 IN A 192.0.2.1 ;; AUTHORITY SECTION: example. 1728000 IN NS evil.example.net. ;; ADDITIONAL SECTION: evil.example.net. 1728000 IN A 192.0.2.2 If the resolver updates its cache from the authority section (which it traditionally does), EVIL.EXAMPLE.NET. has gained controlled over EXAMPLE., including BIGCORP.EXAMPLE. It does not matter if 1234.EXAMPLE. actually exist, you only need successful spoofing (whose possibility we can assume for the sake of argument, otherwise why bother about 0x20?). --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 09:08:12 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B49A43A6A7A; Wed, 13 May 2009 09:08:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.73 X-Spam-Level: X-Spam-Status: No, score=-101.73 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJideNqYD2NQ; Wed, 13 May 2009 09:08:12 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E832C3A6AA7; Wed, 13 May 2009 09:08:11 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4GyG-000BEw-2u for namedroppers-data0@psg.com; Wed, 13 May 2009 16:06:16 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Gxz-000BCV-JR for namedroppers@ops.ietf.org; Wed, 13 May 2009 16:06:07 +0000 Received: from [IPv6:2001:610:719:1:224:8cff:fe33:564a] (unknown [IPv6:2001:610:719:1:224:8cff:fe33:564a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id 8BAD4E6050 for ; Wed, 13 May 2009 16:05:58 +0000 (UTC) (envelope-from shane_kerr@isc.org) Subject: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience and meeting in Stockholm From: Shane Kerr To: namedroppers In-Reply-To: <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> Content-Type: text/plain Organization: ISC Date: Wed, 13 May 2009 18:05:56 +0200 Message-Id: <1242230756.8625.2953.camel@shane-asus-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.26.1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, 2009-05-13 at 18:48 +0300, Joe Abley wrote: > On 13-May-2009, at 18:42, Florian Weimer wrote: > > > There's also 123. or 1234.EXAMPLE. Unfortunately, there's an > > unlimited supply of those names. > > So are you saying that there's no point specifying something unless it > will surpass a threshold of usefulness for all possible QNAMEs? > > Or are you saying that most QNAMEs are numeric, or otherwise don't > benefit from 0x20? > > Or something else? > > Just trying to understand your objection. Me too. Root gets no extra protection. We get it. Really. It makes sense. Yes we know that DNSSEC is the best solution. Yes we should encourage people to sign their domains and encourage people to run validating resolvers. None of this means that 0x20 should not be adopted. 0x20 helps where it helps, and doesn't help in other places. We should adopt it because it improves security with a minimal cost. Full disclosure: my vanity domain has 17 alphabetic characters, so I would be *thrilled* at the extra 17 bits of entropy. Finally a benefit to such a cumbersome name!!! :) -- Shane -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 09:21:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98D1D3A69E6; Wed, 13 May 2009 09:21:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.14 X-Spam-Level: * X-Spam-Status: No, score=1.14 tagged_above=-999 required=5 tests=[AWL=-0.480, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HG0dyUVA3NGv; Wed, 13 May 2009 09:21:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 87F283A6906; Wed, 13 May 2009 09:21:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4H9t-000CPI-Vf for namedroppers-data0@psg.com; Wed, 13 May 2009 16:18:17 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4H9g-000CNE-2J for namedroppers@ops.ietf.org; Wed, 13 May 2009 16:18:10 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M4H9h-0004VY-VN; Wed, 13 May 2009 18:18:06 +0200 Received: from fweimer by bfk.de with local id 1M4H9X-0006ed-7i; Wed, 13 May 2009 18:17:55 +0200 To: Shane Kerr Cc: Joe Abley , namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <1242230148.8625.2914.camel@shane-asus-laptop> From: Florian Weimer Date: Wed, 13 May 2009 18:17:55 +0200 In-Reply-To: <1242230148.8625.2914.camel@shane-asus-laptop> (Shane Kerr's message of "Wed, 13 May 2009 17:55:48 +0200") Message-ID: <8263g5dljg.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Shane Kerr: > We could then set up ns[12].edns-only.info to *only* answer queries with > EDNS0 enabled. Then we measure the number of HTML pages retrieved, and > the number of JPG retrieved. We can can also throw a JPG from a site > that does not require EDNS0, for comparison. > > This would give some rough indication of the impact of EDNS0 in the real > world. It's totally legitimate to switch on EDNS0 only if you need it (after receiving a truncated response, or for setting the DO bit). So the results will certainly be misleading. I think you'd be measuring an uninteresting number anyway. You'd need to stuff EDNS0 responses so that they exceed some reasonable limit (1500 bytes), while responding to non-EDNS0 queries with something in the 512 byte window. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 09:43:10 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B9873A6E10; Wed, 13 May 2009 09:43:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.513 X-Spam-Level: X-Spam-Status: No, score=-5.513 tagged_above=-999 required=5 tests=[AWL=-0.465, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlDx5biaQALx; Wed, 13 May 2009 09:43:08 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BCBAE3A6DA2; Wed, 13 May 2009 09:43:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4HV7-000EBU-Ve for namedroppers-data0@psg.com; Wed, 13 May 2009 16:40:13 +0000 Received: from [129.6.16.226] (helo=smtp.nist.gov) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4HUo-000E9q-7n for namedroppers@ops.ietf.org; Wed, 13 May 2009 16:40:06 +0000 Received: from 98-140.antd.nist.gov (98-140.antd.nist.gov [129.6.140.98]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id n4DGdl2Z012593 for ; Wed, 13 May 2009 12:39:47 -0400 Message-ID: <4A0AF7D3.9010809@nist.gov> Date: Wed, 13 May 2009 12:39:47 -0400 From: Scott Rose Organization: NIST User-Agent: Thunderbird 2.0.0.6 (X11/20070728) MIME-Version: 1.0 To: namedroppers@ops.ietf.org Subject: Re: [dnsext] WGLC TSIG MD5 Deprecated References: <200905081453.n48ErDH3055593@stora.ogud.com> In-Reply-To: <200905081453.n48ErDH3055593@stora.ogud.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-NIST-MailScanner: Found to be clean X-NIST-MailScanner-From: scottr@nist.gov Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: I have read the document and support it going forward. I commented on the previous version, but it was background material and there really isn't a need for it in the draft. Scott Ólafur Guðmundsson /DNSEXT chair wrote: > > This note starts a Working Group Last Call for this Standards Track > document > ending on midnight May 24'th UTZ 2009. > > URL for the document and its history: > http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-tsig-md5-deprecated/ > > This document is on the Standards Track, The document updates standards > track > documents and redefines an IANA registry. > > Please read the document carefully, and send your comments to the > mailing list. > > The document process rules in this working group, require that at least > 5 members of the working to state that they have reviewed the document > and there is consensus of support to publish it as a Standards Track RFC. > > Olafur (for the chairs) > > > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: > -- ---------------------------------------- Scott Rose Computer Scientist NIST ph: +1 301-975-8439 scott.rose@nist.gov http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ ----------------------------------------- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 09:46:51 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F97C3A68C8; Wed, 13 May 2009 09:46:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.89 X-Spam-Level: X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[AWL=-0.161, BAYES_00=-2.599, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9bv2evyBsH7K; Wed, 13 May 2009 09:46:50 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5F0133A6AF1; Wed, 13 May 2009 09:46:50 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4HZT-000EW2-8Z for namedroppers-data0@psg.com; Wed, 13 May 2009 16:44:43 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4HZF-000EV4-FO for namedroppers@ops.ietf.org; Wed, 13 May 2009 16:44:35 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id DA4A2A1D5E; Wed, 13 May 2009 16:44:28 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Shane Kerr cc: namedroppers Subject: Re: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: Your message of "Wed, 13 May 2009 18:05:56 +0200." <1242230756.8625.2953.camel@shane-asus-laptop> References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> <1242230756.8625.2953.camel@shane-asus-laptop> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Wed, 13 May 2009 16:44:28 +0000 Message-ID: <4299.1242233068@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: because dns-0x20 only asks that a interpretation of 1035 be relaxed that nobody was interpretting the other way anyhow, and only affects recursive servers who want to deploy it, it's a very low cost proposal. i'm in favour of adopting it as a WG item independent of anything else we do or don't do for hop-by-hop or end-to-end security. (if not for the need to relax an interpretation of 1035, this could be a BCP or FYI or experimental, rather than a standards track RFC.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 09:46:58 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D40A3A68C8; Wed, 13 May 2009 09:46:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.911 X-Spam-Level: * X-Spam-Status: No, score=1.911 tagged_above=-999 required=5 tests=[AWL=-0.936, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idwBaZT92BHi; Wed, 13 May 2009 09:46:57 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 403B53A6BD1; Wed, 13 May 2009 09:46:57 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4HZi-000EXj-Hj for namedroppers-data0@psg.com; Wed, 13 May 2009 16:44:58 +0000 Received: from [209.86.89.70] (helo=elasmtp-banded.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4HZT-000EW1-Be for namedroppers@ops.ietf.org; Wed, 13 May 2009 16:44:51 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=EuP3utjivIn7lvF7wbg1RzFdk6kHeb0TRS2LzzezH6bIcJDQ18e5BOjblPt4sIEf; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.98.212] (helo=ix.netcom.com) by elasmtp-banded.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M4HZ5-0002XG-Nv; Wed, 13 May 2009 12:44:42 -0400 Message-ID: <4A0AF89D.56202319@ix.netcom.com> Date: Wed, 13 May 2009 09:43:10 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Shane Kerr CC: namedroppers Subject: Re: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience andmeeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> <1242230756.8625.2953.camel@shane-asus-laptop> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688c591b1b746840e12a2a3aba79425324c350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.98.212 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Shane and all, I concur. But than again I did some 7 years ago and implimented accordingly. Seems ICANN et., al., is behind the curve as usual. Shane Kerr wrote: > On Wed, 2009-05-13 at 18:48 +0300, Joe Abley wrote: > > On 13-May-2009, at 18:42, Florian Weimer wrote: > > > > > There's also 123. or 1234.EXAMPLE. Unfortunately, there's an > > > unlimited supply of those names. > > > > So are you saying that there's no point specifying something unless it > > will surpass a threshold of usefulness for all possible QNAMEs? > > > > Or are you saying that most QNAMEs are numeric, or otherwise don't > > benefit from 0x20? > > > > Or something else? > > > > Just trying to understand your objection. > > Me too. > > Root gets no extra protection. We get it. Really. It makes sense. > > Yes we know that DNSSEC is the best solution. Yes we should encourage > people to sign their domains and encourage people to run validating > resolvers. > > None of this means that 0x20 should not be adopted. 0x20 helps where it > helps, and doesn't help in other places. We should adopt it because it > improves security with a minimal cost. > > Full disclosure: my vanity domain has 17 alphabetic characters, so I > would be *thrilled* at the extra 17 bits of entropy. Finally a benefit > to such a cumbersome name!!! :) > > -- > Shane > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 13 15:29:47 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66C533A6DA2; Wed, 13 May 2009 15:29:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.843 X-Spam-Level: X-Spam-Status: No, score=-4.843 tagged_above=-999 required=5 tests=[AWL=-0.665, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJIFZiZ0pvca; Wed, 13 May 2009 15:29:46 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 498903A6BC1; Wed, 13 May 2009 15:29:46 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Msu-000FD4-6t for namedroppers-data0@psg.com; Wed, 13 May 2009 22:25:08 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4MsV-000FCA-Im for namedroppers@ops.ietf.org; Wed, 13 May 2009 22:24:56 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4DMOInr022165; Wed, 13 May 2009 15:24:18 -0700 (PDT) Cc: Nicholas Weaver , Florian Weimer , Andrew Sullivan , namedroppers@ops.ietf.org Message-Id: <870B9722-21C6-4E74-A19C-182E6338CC2C@ICSI.Berkeley.EDU> From: Nicholas Weaver To: Joe Abley In-Reply-To: <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Wed, 13 May 2009 15:24:19 -0700 References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> X-Mailer: Apple Mail (2.930.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 13, 2009, at 8:21 AM, Joe Abley wrote: > > On 11-May-2009, at 16:14, Florian Weimer wrote: > >> * Nicholas Weaver: >> >>> I can see such an argument against EDNS0-ping, but what is your >>> argument against 0x20? >> >> Among other things, it only adds two bits of security for ccTLDs, and >> zero bits for the root. > > This is only true if the QNAME is only . or . > > Spoofing responses for those names is a concern, but I would posit > that those queries are pretty rare for most resolvers. Much more > likely that someone is looking for ticketmaster.ca. than just ca. or > just ".". 0x20 adds as many bits as their are characters in all > labels of the QNAME. Except that an attacker targeting the auth record for .ca would query as 123.ca, 124.ca, 125.ca etc. So that is a valid complaint. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From sorceressly917@garage-morel.com Thu May 14 00:09:27 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEFA63A6FB0; Thu, 14 May 2009 00:09:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.71 X-Spam-Level: X-Spam-Status: No, score=-14.71 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_CPE=0.5, HOST_EQ_CPE=0.979, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvYyR6Rq8TJS; Thu, 14 May 2009 00:09:27 -0700 (PDT) Received: from cpe-66-66-124-224.rochester.res.rr.com (cpe-66-66-124-224.rochester.res.rr.com [66.66.124.224]) by core3.amsl.com (Postfix) with ESMTP id 9C8063A6B9A; Thu, 14 May 2009 00:09:25 -0700 (PDT) Date: Thu, 14 May 2009 00:10:56 -0800 From: dnsext-archive@lists.ietf.org Subject: Branded watches at less than half price To: Message-ID: <000d01c9d463$20471530$6400a8c0@sorceressly917> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal With so many watches that look and work like the real thing, I guarantee you'll have a delicious time finding yours at our store! Thanks! http://biotawatches.cn Best Regards Clara Lackey UK From owner-namedroppers@ops.ietf.org Thu May 14 02:01:58 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 259F928C0E0; Thu, 14 May 2009 02:01:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.902 X-Spam-Level: * X-Spam-Status: No, score=1.902 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43aIKrOgcoJe; Thu, 14 May 2009 02:01:57 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C4BF728C0D0; Thu, 14 May 2009 02:01:56 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Wih-0005D4-Kd for namedroppers-data0@psg.com; Thu, 14 May 2009 08:55:15 +0000 Received: from [94.198.152.69] (helo=arn1-kamx.sidn.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4WiT-0005Ak-Jv for namedroppers@ops.ietf.org; Thu, 14 May 2009 08:55:08 +0000 Received: from sidn.nl ([192.168.2.12]) by arn1-kamx.sidn.nl with ESMTP id n4E8swfm024013 for ; Thu, 14 May 2009 10:54:58 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Subject: RE: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Thu, 14 May 2009 10:55:34 +0200 Message-ID: <850A39016FA57A4887C0AA3C8085F949C4FBFA@KAEVS1.SIDN.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience and meeting in Stockholm Thread-Index: AcnT5tG3vRuLBtm6SYWffC+FIlUF2QAiK3UA References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> <1242230756.8625.2953.camel@shane-asus-laptop> From: "Antoin Verschuren" To: "namedroppers" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: 0x20 helps in some cases, but at a small cost. It's a cost we can avoid if we deploy DNSSEC. Being Dutch and on the penny :-), I'm in favor of saving every penny we = can. To be more precise, the cost of 0x20 is: -Increased complexity of the protocol, meaning harder to debug and to = understand DNS -once deployed, no future protocol extension that needs the case = (in)sensivity can be deployed -Increased code and computation All of this on top of the cost of DNSSEC. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310 PO Box 5022 6802 EA Arnhem The Netherlands T +31 26 3525500 F +31 26 3525505 M +31 6 23368970 E antoin.verschuren@sidn.nl W http://www.sidn.nl/ > -----Original Message----- > From: owner-namedroppers@ops.ietf.org [mailto:owner- > namedroppers@ops.ietf.org] On Behalf Of Shane Kerr > Sent: Wednesday, May 13, 2009 6:06 PM > To: namedroppers > Subject: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience = and > meeting in Stockholm >=20 > On Wed, 2009-05-13 at 18:48 +0300, Joe Abley wrote: > > On 13-May-2009, at 18:42, Florian Weimer wrote: > > > > > There's also 123. or 1234.EXAMPLE. Unfortunately, there's an > > > unlimited supply of those names. > > > > So are you saying that there's no point specifying something unless = it > > will surpass a threshold of usefulness for all possible QNAMEs? > > > > Or are you saying that most QNAMEs are numeric, or otherwise don't > > benefit from 0x20? > > > > Or something else? > > > > Just trying to understand your objection. >=20 > Me too. >=20 > Root gets no extra protection. We get it. Really. It makes sense. >=20 > Yes we know that DNSSEC is the best solution. Yes we should encourage > people to sign their domains and encourage people to run validating > resolvers. >=20 > None of this means that 0x20 should not be adopted. 0x20 helps where = it > helps, and doesn't help in other places. We should adopt it because it > improves security with a minimal cost. >=20 > Full disclosure: my vanity domain has 17 alphabetic characters, so I > would be *thrilled* at the extra 17 bits of entropy. Finally a benefit > to such a cumbersome name!!! :) >=20 > -- > Shane >=20 >=20 > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org = with > the word 'unsubscribe' in a single line as the message text body. > archive: -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 14 02:15:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E4BA28C1DD; Thu, 14 May 2009 02:15:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.886 X-Spam-Level: * X-Spam-Status: No, score=1.886 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XGu1MoYU9rrh; Thu, 14 May 2009 02:15:27 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4103C28C232; Thu, 14 May 2009 02:15:27 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Wzb-0006RA-FQ for namedroppers-data0@psg.com; Thu, 14 May 2009 09:12:43 +0000 Received: from [94.198.152.69] (helo=arn1-kamx.sidn.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4WzO-0006Q9-Ch for namedroppers@ops.ietf.org; Thu, 14 May 2009 09:12:36 +0000 Received: from sidn.nl ([192.168.2.12]) by arn1-kamx.sidn.nl with ESMTP id n4E9CSku024466 for ; Thu, 14 May 2009 11:12:28 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Subject: RE: [dnsext] Forgery resilience and meeting in Stockholm Date: Thu, 14 May 2009 11:13:04 +0200 Message-ID: <850A39016FA57A4887C0AA3C8085F949C4FC00@KAEVS1.SIDN.local> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [dnsext] Forgery resilience and meeting in Stockholm Thread-Index: AcnT6JDHK+QNhXIZSDWCuwTd/RVtkwAiWLkw References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de><6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu><82ab5jpyrm.fsf@mid.bfk.de><34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca><1242230148.8625.2914.camel@shane-asus-laptop> <8263g5dljg.fsf@mid.bfk.de> From: "Antoin Verschuren" To: Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: If it's real World numbers you're after, isn't DSC computing these = correctly then ? See f.e = http://public.dsc.dns-oarc.net/grapher?plot=3Dedns_version&server=3Dns-ex= t.isc.org Don't know how they are computed, but when I look in one of the graphs = of DSC for the .nl infrastructure, I see that DSC reports that about 50% = is doing EDNS0 and 50% is doing No EDNS. I assume this is mostly = recursive resolvers, not stubs, which is even more worrisome, although = some part may be due to botnet scripts. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310 PO Box 5022 6802 EA Arnhem The Netherlands T +31 26 3525500 F +31 26 3525505 M +31 6 23368970 E antoin.verschuren@sidn.nl W http://www.sidn.nl/ > -----Original Message----- > From: owner-namedroppers@ops.ietf.org [mailto:owner- > namedroppers@ops.ietf.org] On Behalf Of Florian Weimer > Sent: Wednesday, May 13, 2009 6:18 PM > To: Shane Kerr > Cc: Joe Abley; namedroppers@ops.ietf.org > Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm >=20 > * Shane Kerr: >=20 > > We could then set up ns[12].edns-only.info to *only* answer queries = with > > EDNS0 enabled. Then we measure the number of HTML pages retrieved, = and > > the number of JPG retrieved. We can can also throw a JPG from a site > > that does not require EDNS0, for comparison. > > > > This would give some rough indication of the impact of EDNS0 in the = real > > world. >=20 > It's totally legitimate to switch on EDNS0 only if you need it (after > receiving a truncated response, or for setting the DO bit). So the > results will certainly be misleading. >=20 > I think you'd be measuring an uninteresting number anyway. You'd need > to stuff EDNS0 responses so that they exceed some reasonable limit > (1500 bytes), while responding to non-EDNS0 queries with something in > the 512 byte window. >=20 > -- > Florian Weimer > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstra=DFe 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99 >=20 > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org = with > the word 'unsubscribe' in a single line as the message text body. > archive: -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 14 07:04:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78DC13A6ED2; Thu, 14 May 2009 07:04:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.546 X-Spam-Level: X-Spam-Status: No, score=-0.546 tagged_above=-999 required=5 tests=[AWL=-0.673, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxefPdh3OJhV; Thu, 14 May 2009 07:03:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 937E73A6CE3; Thu, 14 May 2009 07:03:21 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4bQT-0003ux-MH for namedroppers-data0@psg.com; Thu, 14 May 2009 13:56:45 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4bQG-0003t6-Dl for namedroppers@ops.ietf.org; Thu, 14 May 2009 13:56:39 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4EDuTRc043410 for ; Thu, 14 May 2009 09:56:29 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4EDuT0v043409 for namedroppers@ops.ietf.org; Thu, 14 May 2009 09:56:29 -0400 (EDT) (envelope-from namedroppers) Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4Vjo-000082-4X for namedroppers@ops.ietf.org; Thu, 14 May 2009 07:52:42 +0000 Received: by ewy4 with SMTP id 4so1360897ewy.41 for ; Thu, 14 May 2009 00:52:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=gWX+W9bQLwrR/kNEe5CrqVoziKmz+9vBV0N5Ik6KXVk=; b=bUiJZyPNzNq1mGug9KAs69vvzBjGUT1o7yG5zoYQoQ4IDfXzPVpMBtupOgTFQ90wON J5nMeD33UNU+i4zeykersKMtsSMb8EdflWir4zSdnlhXH0PZYSYPgy68gYIpRZmE6IAb Nd31c8QRndmXIVeOnokjRf3kBUESB8ckTkPgo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=JloSGbC31fPntcqgs0ZU+t2kvGHNyNqFzo7QajYuUWZby80drDWjm72xCbNkm3XThT TZ8GatHMh6ZB4vqMBK/nVbhZSFM8nsmitzFi87hroE0jIBaaBX2nuxE1UNSyRRDiPZaB XoOH/iRu+nsinYfdX0nBetu+o5cLZlOAx8K5U= MIME-Version: 1.0 Received: by 10.210.87.14 with SMTP id k14mr9563732ebb.27.1242287538103; Thu, 14 May 2009 00:52:18 -0700 (PDT) In-Reply-To: <96808.1242222663@nsa.vix.com> References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> <59007.1242164756@nsa.vix.com> <3efd34cc0905130028q161edc1eh2c2c9b2614e7cb5f@mail.gmail.com> <96808.1242222663@nsa.vix.com> From: bert hubert Date: Thu, 14 May 2009 09:51:58 +0200 X-Google-Sender-Auth: 7c526f25af6386f7 Message-ID: <3efd34cc0905140051j7b079c9bpe5ac8e58ca254912@mail.gmail.com> Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? To: Paul Vixie Cc: IETF DNSEXT WG Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] On Wed, May 13, 2009 at 3:51 PM, Paul Vixie wrote: >> From: bert hubert >> Date: Wed, 13 May 2009 09:28:39 +0200 >> >> Saying that it ain't so also does not make it not so. > > i've explained the reasons. =A0shall i keep repeating those even though > neither you nor george barwood has shown any interest in the details? You may have explained why it is not perfection. You have not explained why it would not help in practice, which it does. > bits of a 48-bit QID. =A0it won't work, for reasons you and george barwoo= d > have been told repeatedly. =A0extended QID in EDNS is a layering violatio= n. Furious handwaving.. > "works in lab" is a very different thing than "works in whole internet". Have you lost the ability to *read*? Silly statements like "the internet is far bigger than you imagine" are not convincing, even if they do come from Paul Vixie, president ISC. The fact of the matter is that the number of servers out there supporting EDNS-PING is already non-trivial, and a few percent of ALL domain names already respond to EDNS-PING. I'm not sure how that qualifies as 'works in the lab'. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From segregationqd@garciz.com Thu May 14 10:56:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BDDC83A6B4D; Thu, 14 May 2009 10:56:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -49.99 X-Spam-Level: X-Spam-Status: No, score=-49.99 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, GB_ROLEX=5, HELO_DYNAMIC_IPADDR=2.426, J_CHICKENPOX_34=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_NOV5A=1.062, STOX_REPLY_TYPE=0.001, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slIBtj+zaq79; Thu, 14 May 2009 10:56:15 -0700 (PDT) Received: from pc-95-145-160-190.cm.vtr.net (pc-95-145-160-190.cm.vtr.net [190.160.145.95]) by core3.amsl.com (Postfix) with ESMTP id D13883A706D; Thu, 14 May 2009 10:56:06 -0700 (PDT) Date: Thu, 14 May 2009 19:57:38 +0100 From: dnsext-archive@lists.ietf.org Subject: Best Gifts To: Message-ID: <000d01c9d4bd$77c88ff0$6400a8c0@segregationqd> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal This watch made similar to the real brand one, except, at a much lower cost. The replica watches are very popular as we can look classy and professional, yet not have to spend so many dollars. The rep1icas allow the normal person to be able to look and feel classy, without spending such ridiculous amounts of money. We also can have the watches to add a touch of classic to our life style. // -Rolex -Rolex Click Here now! http://historianherpetological.cn Thanks! Kandice Wood NL From owner-namedroppers@ops.ietf.org Thu May 14 16:15:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 729B03A6DEA; Thu, 14 May 2009 16:15:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z18siI5IzXpz; Thu, 14 May 2009 16:15:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7C4823A6D00; Thu, 14 May 2009 16:15:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4k52-0001Cv-Lq for namedroppers-data0@psg.com; Thu, 14 May 2009 23:11:12 +0000 Received: from [2001:888:1037:1337::53:53] (helo=burnout.bakker.net) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4k4l-0001B7-Sf for namedroppers@ops.ietf.org; Thu, 14 May 2009 23:11:03 +0000 Received: by burnout.bakker.net (Postfix, from userid 910) id 264CBF1839; Fri, 15 May 2009 01:10:53 +0200 (CEST) Date: Fri, 15 May 2009 01:10:53 +0200 From: niels=ietfops@bakker.net (Niels Bakker) To: IETF DNSEXT WG Subject: Re: [dnsext] Adopt EDNS0 Ping, benefits vs disadvantages ? Message-ID: <20090514231053.GG84365@burnout.tpb.net> Mail-Followup-To: IETF DNSEXT WG References: <200904221507.n3MF7G6J047453@stora.ogud.com> <20090512131251.GB5566@unknown.office.denic.de> <42739.1242141198@nsa.vix.com> <59007.1242164756@nsa.vix.com> <3efd34cc0905130028q161edc1eh2c2c9b2614e7cb5f@mail.gmail.com> <96808.1242222663@nsa.vix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <96808.1242222663@nsa.vix.com> User-Agent: Mutt/1.5.19 (2009-01-05) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * vixie@isc.org (Paul Vixie) [Wed 13 May 2009, 16:20 CEST]: [quoting bert hubert :] >> Saying that it ain't so also does not make it not so. > >i've explained the reasons. shall i keep repeating those even though >neither you nor george barwood has shown any interest in the details? Can you give me a pointer in the archives instead? Possibly you are referring to the string of single liners you sent on April 20th? Or the next day, when you said implementing EDNS-PING would only distract people from implementing DNSSEC? [..] >"works in lab" is a very different thing than "works in whole internet". QFT -- Niels. -- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From robertcseidel@lingua.uni-frankfurt.de Thu May 14 17:46:14 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6495C3A6866; Thu, 14 May 2009 17:46:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -35.406 X-Spam-Level: X-Spam-Status: No, score=-35.406 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FRT_ROLEX=3.878, HELO_EQ_RO=1.235, HOST_EQ_RO=0.904, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_XBL=3.033, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0OB9iXRVgNi; Thu, 14 May 2009 17:46:13 -0700 (PDT) Received: from wlevi.Toplita.ro (wlevi.Toplita.ro [80.96.206.211]) by core3.amsl.com (Postfix) with SMTP id 4CDC73A708C; Thu, 14 May 2009 17:45:35 -0700 (PDT) To: "Taylor Oconnor" Date: Thu, 14 May 2009 20:47:12 -0500 Subject: Vacheron Constantin cheaper than you could imagine! Message-ID: From: "Joshua Ferguson" Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Hello Taylor Spring is the time to get Ro lex watch, and the only place to get top notch watches that look and perform exactly like the originals is http://www.jewlery-top.com We are offering wholesaler prices on all watches during the month of May. http://www.jewlery-top.com Our Ro lex watches have perfect weight and feel same as orginal. Sincerely, Mr Oconnor From mockingbird@jinzheng.org.cn Thu May 14 20:17:16 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BFDA3A7097 for ; Thu, 14 May 2009 20:17:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.566 X-Spam-Level: ** X-Spam-Status: No, score=2.566 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsh10KWqqOo1 for ; Thu, 14 May 2009 20:17:16 -0700 (PDT) Received: from host28-47-dynamic.52-79-r.retail.telecomitalia.it (host28-47-dynamic.52-79-r.retail.telecomitalia.it [79.52.47.28]) by core3.amsl.com (Postfix) with SMTP id 43D9A3A6F4D for ; Thu, 14 May 2009 20:17:13 -0700 (PDT) Subject: Hannibal the Great's - Favorite sexual Positions and Libido Enhancers From Hitsory Content-Type: multipart/mixed; boundary="fiTMvgDIfC4A2AREpmdYhw" To: dnsext-archive@lists.ietf.org Date: Fri, 15 May 2009 03:18:37 +0000 MIME-Version: 1.0 From: Squines Cuccaro Message-ID: <21fe_q6sr@jinzheng.org.cn> --fiTMvgDIfC4A2AREpmdYhw Content-Type: image/png; name="Squines.png" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="Squines.png" iVBORw0KGgoAAAANSUhEUgAAAXkAAAGACAMAAAB/QOLeAAAABGdBTUEAAK/INwWK6QAAABl0RVh0 U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAADAUExURZ6YmVWk2v/Mzd+fIsq/q8+dnGtY XNXSzz4JGPmnzJmZZtasX95VVWNmnJ5lH4rE5q6su+Xi3/z7+5UIBvX19bx1de/ev+rKffDEFId0 d1AhLb2FIrVVUNc7O5lmmdTe6Njr9SstOps2NvX26647Nu/q5evt7+3y9fX78fLy5pEZGV89RaQl IiFoBJsDkmaZawAA//3o8qLDovn29/zW5zA+gvz58ePu8gAAZgAAmcwAAP8AAAAAAP///8zMzPf+ 9HTgmecAACeTSURBVHja7J0LY5o6FICdVezq2ipqO9fuWtdW17Wu67WTPhLy///VzQvyIIH4wKI3 8QUkQPg4nBxOjqGGtpmi3Nls8cip2LK73eAGotXXr3nynrwn78l78p68J+/Je/KevCe/F+Tf1aQs UQshdZnrumoNklxTQXl70lqZnZhXNhRGeYWQOc/p4LQdvJdEXt/N++rkM1Venvz78uTNO0HvedjK Ih9JSdmUvETL1qYzK6tLpB2MMoWVOUtVRrYqvpv3Yq6SrXqWw1HSyMxF2UHeBkaGZbUcMUmWZKQ0 O6dJqbTIeO4tK1uELMqvo11Ycy+PgsNR623C8m7cwaotbM5R2Sr+biePLOStzYeYQzby70Zd70Ie OZ2Hd2fy5h2sbNuoR5UD9t3WBhSTN5VEBa2GLet9RfKFh7N18ijTanwAea3h1cnrCucDyCN9i+/S 0g2Qz1Pjmyav00UWoc/kva9A/n1t8sjtSJa6k7Jc6Fskb76UlU2+5+ijnSVvEbbtks+tR0FLsLvk 0QeTf3chjxzAl6nn94m8aUN5m1xH5neK/Cr2/Lu7PY/ejcKcdzLXIr+mPb9V8svfw74vQd5oE7/n n80lyW/yHna75JHxMHLuBLIViowXUFYu7eQt+Q7k7RdpIfjtkH9/d7iBRPlnxuq5M3kdkdXn6+47 fS/0MG7YV4mcLdsNkS90aJvufq01eM9sa1nyaFnym/LPl0He90n53kBP3pP35D15T96T9+Q9eU/e k/fkPXlP3pP35D15T94pDQ8Pa9L0YTeZ+Xb4zTUv0PK0XXQOA7XCeF1LvfWiiBWVEt5VLA48YNmH aqplF+mbqQD5+PBwKKAJnC28fMU8DV73m7akcWgjnykaHxrIf7veC/LXh6mMtkgFkyOv4QNYrJin 01RxXn+zkc8WvTeRT065TP6+JaVbUimW8Ab4VPX0PK78bQptmOKki1fLGylS++1Qwzk8tJC3F9XI c30jkw/sR1fZFhZz6yS1DJqpFv12eL9qnlSh69rhoYYTK5BvJvJ5RXXy93f7QD5V2Fjv1KJEV3Tp 0tXyRIVaRIobChesQILAQD63qEI+uOd73nXyP6kEs4YvRvd8BgtgY9W8SG5Lg67KBeul0b2BvLno nYk8OUmtPSBPKveTHyjVrHdcw96tmieRv29oXHBr3IlMMm8uikzkyem9/7kH5GtMgrDYBlT0Oqkq XzFPr5DE5ScpHN1b7Xm9qJn8T6Zvdp58i+noLmX3k+nQLtfbbnk1NS+HfO3w2y0yyry5qJk8tWNb VquyuyvkEbt96bD70IDah53EVnHKa6l5dvLsZDnJPD+vZvJM39jupIY7Q55BY9/kmLpUd/90zqNm pJRnJc8UiJPM86I28ot7YlBZyAc7Q55B+8ZkhcnafVJ9p7xIzbOSZys4yTwvaiNP9U2863qeafEW NRURo3ybugCc8iI1z0aeKxAh863Mjb1e1EqeGFHYvtlx8hRajZuFVIc0hO/RJS9S82zk7w+/UdAx c6ZEKOvM0otyv4vpqiD6ZufJD7EpGPBbIdJI3go3jFNepObZyGvOwzzydj9jCpm4MVu7Th5Du5Z1 SONe2AcueZGa50zerucdyFN9s+vkiRUuOhzuD4UzzC0vUvNy7HmEHG0bKzmpxLf0rOwseeJ1kXXI t9QB7JYXqXmF5O83Q76xB+SHh9oB3S+VF6l5kUZiMzLPs6QS0VCQV3pGWrtDviN156E79TbQIS9S 8wrJ32+IfNK7pTcL33aH/J3chU3stcZSeZGatzWZT7tpd5f8mslHfXjynrwn78l78p68J+/Je/Ke vCfvyXvynrwn78mvQv5L9dNb5dNq5Csv898rL/OevCfvye8XeZh+0QkI94E8PgqopQqSJ5VcXN/d XV+HIdwb8hD2oz5O0+jqanQ1rR55XCF4fXuepLOzhXQB7Cx5CEMMft7vR1NC/mo0Oq0eebg4O5fT 2S0XD4AT+xUbwdORPJ+m2WzGfrUFyfKtk6cSj6mPMPTR6enpp6uKkYdoIWNvf21/PTiHCfAMZELe tPEZfRHQ6QL6mcknY6vk51fTKRF1lj7hV3oE7NsoQMUSRaYiuny2JnlJ4tvtr/jTPmhDuYZsil8A qcwnF4REXvx8PHkEr6KIYf9EEvnWyDuljETRqUg9qBW1zV37vH1O3wdfMfSvBwcX56FSt4Q+/0Ty vEYeocrIPNbtjDuWdkr/1HA4kkYFbJn4tkkUJT/bgLY5w4L+lVAn3PHr4OLiDmXIS1WOjGpIvypn TDpmsrhsk/zVlSTtn2zkpU/CXJWqjERxbSMrm1Vl/owQZ9i/Uom/OEcwSz4VCrO2kaRDXJUz8bN1 bTPi4i7Qmy5h05lQpM2m55VreVWZJ3J+cECbVpJODiBEGT2vaxtdV84y5MX0R5APT1NZ10RebrJk gZLIA1msMsc1S2qwJnl0e0D0e5IuTg7mUJUF7XK06/lZhfR8eMoUjaRroIG86ZPRNmWRX0jYL05w 65re7Cn2fJG2Ua7K2cfb84myOWUN7OmVdHuoXM5A+xUzeeQ3oG2wor+4uDjAL8L94GzlW9BZte5h r1Iznn5B7aZEEyhZ66jaJiNRwp5f+x42rDPqJycHZyEqdm/siPdgSsFzw5J4bYoOzGLiz8r0Ei/O 2xftdv0OrgeuWuSJRc+1/BVEBeRBxlTbln8+XIT75p+nrK+It+wqom7BCvrneaXgfpEvM/k+KU/e k/fkKfnvlU97Gm/zVnmZf9tTmffkq0CeduhDT37b5MPpdDSK+mEIEYSefDnkI5He+C+c8l7Y0ek0 hNEG0yh3Nlt8pBV7S6fwJUm/SIrgcrtdu945GW/O65tkfvqJO25I6lcp3kaSKBjenZ2RDtnGYgH3 RNvMR9xDz/lXjzzWgXdn7Xa7Qcjj19ltfpu0K+T71FvW4e/TT/PqkYeYO0Eu0gImDjzdfWqNdDK5 /zR360zvHUy6TpKMzZIfpR2Bx/R7BCtHvq1QJ31TB0kXuHOkkwG8tkD07qQdhnLP4ebJTynxY/6N 1c5cqphzpJOLVEWmALuZECob+VuJ+sUB7Z06WSwT6ST36xhCViTyCnA1Kmrz5KNU2tn3J6iSR2uA NwvVTL2a0wkLeXh+QOPKCHZCnfbGhstEOgEuQMAYP6GTnyG9frNy9HyYUOdCP4LZwymMdHKSKmOA XTH58IIx59hpz+A5WibSydhxnxWqpEu8HPJZW3R+mioaGnwQ8mwAjB/AfqWFrDCIMhlJZpJm+MUn +C9O0gKLPR9S4G2J+8mAmPdi83SKnnw6PUrnDYdirV1SwZmon17fTdvzo2OpiT2+MgoKKoh0cpKq yBBgJ0csWGWe8mbUKfiLhaoPiyKd3GSeK0PJlEF69NaGvQfTT5KmH0FTvE1hpJMbeWuYVy75eftC SicJ+CUinYSedyCfaX7KI49OU8Pmr3wftUykkxN5a4DdLN+qPDvBTWqC/ftJ+wlBpYaFkU5AFiL9 uCz2/Gwb5NGnv7yJvVJuDpeIdHKSKluAXRH5+cENYU6kHb/rhUEIUaHpbkmzLfsqIdE3fwn906mh wk6RTk5SFVkD7Ar8NmH75AYLO3mfPxW7U1cmj7ZOHisc4rTpI5fICuNhmI8tyur51fw287MDonDa Z+Fa4KrZJ+Xko7RGOjmSX91XGc6LfZQ7Sr6M5HtGPPmKkffJR314bePJe/KefEXIy0OSFFrAO0Se HEw4n3ZH3dEkrCj5xeLs7gyn8+vrEO6HzBPs86u41iGpdlzrhNUiT8R9gYnzNx3sY5EbfLAzMg8n nb/Hx8d/yRu//h5PqkUehWd0WBss80zqz9vta7gH5Ke1vyRh9qQbHJMfHysjaazRFZtHPvNvVNI/ hdTBQVgN+VgfZ+RNJ9tH7fZC8sytGPWRW29T9TLDCaxHfnRMsfO+EUL+7zhCG+kBzyOfdAAhyQke sTld5mmQUzLMChH4o4uLkzO4btRHbr1N1aNVm21M5kdc3o9p38jxJzz3Mp4k0J17wLPdKIAhkHvG I5T5sz5SyEfSP8fTGvKYj/N2g/4eYfAnA0J+ifFtjLVDau2ksxgZq4e4bGyGfJ+CZ+iPqcBjkR9f 6eQLx/rIFiQlI2W+iDzVNsrVTGoIiXIhLwr96III/PDkAi4X9WGqnTpfSJ5qG03ZrE4+7Iz/aull /FKDGZlHDj3g2UJR9sLJ/mlchBdFM6F00uOaY9RHF22C/Ih2CA5J11QTwiWjPnKEKVO7yFg9NEv0 4QbIw78S+VdCfTwe16aZS7R4rA9jp22UHg7NjPIGWRLINfIXA4KefA+wlhmSTsFBW22DCkecsHYp y11sssybqpc0QRshf41hU/gv+DUm3F/GnSmC+dU19ICbJSpSrwld2ziRDzFo/LpgzEkaXhz1ibG5 3Pg21sNAJvKzssnDIWHNRJ1+vfyNIwSVi9SxB7xIzzvaNhltA9snaSLwA3wmlo/6KNLzrrbNxrQN il44cSrvf//WroyxB8VjfRiMH9W2ybXnZ4o9rx5X957QDhh78tPQI4KctY1aO4NRY7HnZ4o9vyGr svuXS/sY65vayMHYdTLxWaHce9iZ4z1s2P5xwthT+oPu8lEfyx5ChCyj4WzwHhaLT3xMVf2nzlXx gBPOY304kHf2mM3b9z+YxN+fNLtwhaiPVchvxW8Dp1PUDxNvbNV8lRCF3fYAUx80u9d9tA8jC+2S f/5nGLr/XdeT931SnnzVyPvkoz68tqkseQjDMJzPwxB68luW+Xkck27i2mS/yNOYipAN9VHRsT7C mPXQ7x356zva1XkdworKfNjp/Nup7Rl5LOfnX3k6X2zyNnaTer47ovoG7Rf5r1K6rib5yWiE0ccd l4tyd8iffz2Q0FdxfBsYjlpE5ONO3If7Qz5UwH89K3Dpmf+5niTFrx0pC2arkw+pvJMUd6BaPdYj ovQaRLZnjMjO9bRWH0j+7kBFD/PJ5+aofTmR+sfLNWQeC3uHJxN5ZO4NNNeKnwuErEPSb2scs7MD Gf3B11AZTiBKhxBIBz5g88lCZfyAmTJmwCidmq03jhnE4BsEeyPoiFHMbMMZjCwDLsyUIRfk8Qw+ aByzcwxeYn+w0CU77eaUf7IxN4l0ics5SqfoZb2GzGNLfng8rNVqw05W76khEsgs80iR+WS4l9ns I/X8OXmCB4FPJf7gILSQRwDkP19HUaWpehE9mWvo+c6wNoyDGv6uQQP5tKuM9fda9HyWPHJ6YkGJ ep6h/8pPwDxLXo3psz5fR5Z6SbEnR7sO+VoteAyGQ0Xmsx3YFplHhkiC7Bg72yd/nTy5hj2u6RyZ ZF4cV27MjTq0wcbIw0anFmBdQzw30E7euYWVRlL5SPJQPDWIpDtk0zaG8STkmBuZ/CypgfzUpnX0 fIyxU/IdmLGxliePUCW0DVxI3C/OoSJSStCwRB5YtA3XqHxoONWUXos8tSgbueQle16rViZ6Rtjz H+sxC8koYRz8Ys0/68xKuYelfsoO/UfRSregs6WOYWvkIZyfM/btu2r6KhfDYTC8DALys0feAxre FN7W62dPc4SqSB7CRrPZrNUGtaNhd6/Il5U26DGL45jexNb6yJPfqpc4RFPcAPX7fejJb5X8ZsBV hrxPPt7m/yDzhR7Oaj7tYjMPq6ja0y52ReadI1J2q4VNRzCpKHlSuYljDXeJPCSBTvNwDisa6YSr 15/jhI1KuF/3sDAkR9WfTu4mVXy2DoR3uH4U/fwuLHzk2O6QJxLV708mk9tJN+qG1XvOCBb4Pktz ei+1L+QhxNhvMfcuSyHUXLCrDfiR/at9pDxgxODatJFPodMUQsMe3Mg7Rn9sjTzhfkuG0mq1MPhR K9TIo9XAi3V5z0Q0yw7570CeXpEk3fFfKD0JxVQ9KzjX6I9tjaYFsbC3MHXMfdTq4p9Qg7fUOCtS Tpprf8CIE3mG/I5+yOtWJ6/8TVr9k3GGPDKQn32MtgkjLO6YOBF5/DVqxdBAfoVxVlSZV7TNDGUe pmIlD8O7/gTzfurfkWtzglWj/PQfpP+pHhQ+Pacw+mM75GGIoWPqRNWMiMS3QhN5E1zl+HML6Xo+ 7Sp0IT8h0Pu3t7dd+nlK7S+QMyaGWVE6Rn9siXyrNaLIqeRj/n21IxatNc6KIm2R/rCFGXIif9uf dLvY7sJa8faWmmCmmBvTcDVI1ztu0R/bknmiZBh3PBX3Q2Qiv+I4K2oLmyGvXuYW8ljF3FG7i1DH 2J/uIFT0fO6AQbktrCX6Y1stbBi3WBpp4NccZ6WYvJNVCUNynzHCmmZyS9NEb2Hz2qMi2+YDtQ0Z JzQm7EdxK9bArzzOClLGB9P0/GxJex4SJcO0PNE3+B1q9rzh2jQb+47RH9uMPejHNPWdQj6cTfxI vV9Z8R4WdrW0xui4syXrXb6vkvwzMHT5t6nzOCub8x4w60smv1de4ir758OQ3ua1nllzFEJPfmu+ SoyemwFxPfTj22zTPx8+xXGdtEQuGtGT32ifVDjvt54XftyDbZOHzAqA64GrDHmffLxNsbbZiMh6 bePJe/JVIF/xeJu9JM8f1fQ0n5N4m2qOsrKn5DF1gv2JJFjFeBv5wtwf8vhgGHOcnknaIPvNy7xT EOLOkJ8/c+z1zzjV68/Jgf2mKb+SWj6bxd90opC88mBwQp7/eZN3FRlaIhL0NEn6pIDZc2oEZ3r6 RaYi/CcyRuZsnHxIJf2ZUP/8XCe/oZnqUuSdZD7933JCPvnD8ixzD0upkxDE6XQadaEV4Wrktc6q SPkDdWnkn7CsE2l/pm88VZ/rVLnos0vgd0KXLxPTyTrJJ13Orx35Oz1g8cO1zUx0Gr4J7GFIqU+i 0ah7NZprYXBS7I8x6AZYHl+E9IrI4zWUTr5e/0wFnvw808knjbyg+Zt/kPGjk5c+CXO1sPYsD0Ge X+SJPuTUJ5MR6SomfWc6eSXoJjI8zQIUdo1vnXxIwVNtQ/X858/NJ1nPI3fKGZmPzGXEREbP04cb pQfMn9hINAwRdtpTjNNpZ4pU8tKs/lQjp6AELRAnQiL4bFYa+adn3Kh+5nJPUx1mZP737wxBZZmi blQtlCGvNNvyyCBC5pFEHsLJpDsioW8xx97pdKGBvPacEVuQkPIUI0sgjqjBbFaezD991tLgCRm0 TY4mUVvZnOtEyZBb2FzyWMe0RhR655SNZBZlhzKzP0NtlUCcSLoQyyX/LINPjUpH3a3TF+aNVOa3 TP63lfxMtLAp+TkdqDJOqE/lm2yVvOmpRmA18tuwbUJV4r+k7avJtjFrG6SY/ZJh+VsxigzaRtHz M8WeT2sY8vESO/9Gff0JNI7aptC20QJxtmPPh5K6aX7+5/O8HL8NgV00+onlqUZXZEjizjTpkSqn H/YjYomxzUahDz4Pvnx+DkvwmCVSvmq8zc/pdKla7dD/pJ64on9+qrCXGO4feXKLSDyVz2R4G1hZ 8nvbM1JG8uQ9eU/ek6dr+fRB8Tao8jKPKi/zyJP35D15T96T9+Q9eU/ek/fkP5h83yfHtHHysU9O qQTyry/+5fLaPHm62VqQvDxiy6skmQ94nC6Ma57xtsgzmU/JQ49+q9rmGEP/8wd/kdAI044hLOuQ 8E43vsUd0jYvf/78eYV/qNSD1xcCI/mw11J4+KHjdYpXk3cDofMO5VWgJW8nZP7iK0bPDiMGDF3y WUGOGAw3YWa7yTIr2GGSbdrHLsn8yVcs7i9/XgV5We71qeQbvqaIoa5AaB4Uq5FpNvmS2VCymDGD +m7YxZMsf5UzEspcSmC2rq/adMVknkp8IvSE/AtnBRMYyZw8/6pMKkKXsJdXEyWTJcluVJmXloud 0e3IexMyL07wq1xXw4rrXQtlyPxJ/MrEHSZ6Pp1LplIWHI50RbwkJYXwQ0kKpdVepRXkEkI9aMvF zl9eX9W9CT2Pv9ULM2lfxIpiIwKk8pWzrFSZn13gBjZuvApt85JAT1u6XJkXNeaC+CpaWGk1CWxG hmWlL4Ra7FzasdIMpLPqqqKwtJHXyun5iz/g9Y/Uwiomh2anGGU+02qmEmySeWlzWZmXBVfe+cur ujch84qeN8j8i9SGvCwLX5KpUlrYPy/EjK/B1LaRLZukLX19EepHtX4ylp2QxyT7VVZHUlOZnhIo tcwJZSh2LmT+RWhBg56Hcin9CKp4D/vnCKp6fgsvJ3FzXkwzyrvdK/ceFsoyv5MvV1VuVynbv4c9 kjzRK5Ov4MlYLiP3GEqS+TH/M/vY5rf5/7xsJ6byPSNVlf5V6qrk+97A/ekNbBwfsdc/j/h1dOxf plcj3jz5DvSpOK0Z9WF4imO//i/0qsRB2YSuT+EselamLPOe68foeSrzdW0/df/RPv0y9LwX6A+y baBR0n0qnXxW5kFhNUCVmIANlfkYmaeSTv0HMUiqmdF1LJ9Mp6W0MiBmefk6U2zHkGfcrvThK0vL gLksiKU8UG09DwoEBChTwFJi3SsGLLs6yCkGKizzkj0P+Df+TeQqeyxM6kgpQxGgrJ++rdtJzxWf TrfLNm6sBUcqCliqS68qQK+wmG0WVFbPU09lqkkMxzIWrIBZjEA8jtP1reTHCQWpJPmW1o1te4il Arg8/rDfbDHqeVXKjCtqz9cFjVSZajpYlmujPua4RYthKgdSNECcIPUssPVBbN6HvgKwtTlKVRIh qKyet8pzbCCvp3EMhLQCSzl5Oxby6dVhqcZYW2Fs2cuYb2rs2AR9kD2vkgcZuz5Dvh7bNb0Amrsd kwizqwLEBc24TN52foEiKGCNe5UtyTy+Rg3SxvUz0Z+sjB0LW9+iW1NtMxaEmY6Pk+2y+TGwGy1j qYUdW+0BIJepWgsr7HlNIuqOd7YmvRgXzOdtq2j7sWM9TKe7vrJfqlyZB/mmV1G+S4nVyq6yGlBL rmvRl2rPZ6RnVSmsW7yftumizzJXWt6VlHdMlfDb+LRte95R1y9zFdh0fbykV3SdK6GeI/neP/9/ 9897Xe/1/P9E5pMwG8MvnZJ+s/l569q3l1f20XH75vL5ZVf+7bR8vM1Oxtu42vM+ZZVN6PX8ntnz LrZ0kXXhYtm4WEkF1s0RXNGvUznyW5Z5k9+Fx+27+WOOYWZzu23Pu9jSRfZz8V0sACw0V+1FAkk7 ZnY8px2ttPyjVF8AYAyzvbBlRJnNd1vmgYiLlv3245Q8fPlkcO+OY1BLy/8DpR4wSH3zzaPVxJ5c aeMPlvl6gS816T8t0tPxUZ5fBgu8GDxK2hWT+Rob40XbJu1lBUAUf0zrC6i8x//G8ekQFOh648XE znYl9Lxy2WY0qJMWPsoT+UCAr2XJBwYQgGTiL1H8H6k/gVapid882670gdWBL7UweY0GKNWeB1CW OKD35AAHa+Lo+dHqlwGEOMS3zBASfSO2DSh3/OLk6yp4ij5dnto2ICa8a4TWYxwcanhNkQhatJpy qyT3kJv0fLl9UuRyp7oPKF2qgPd7ArvYi3vtMLZKPagdM7qQtbKynsdnhGWNMxLPuIwztg1Z/zQe D+N/hyCQ+3zVPlpe92xfbbJp9qOvz+f5NIiDEv3zF4eKAEiXLpA78tMrQLk04WP6T+a4JqSWno9U LwdcsPEXl/l6wqBG33TXop0AktWTnvSjpL5k901A9hsH46GIPANyZz6QghiAgTygr0TmgSUEC5Sh bYTMn/Q08vysAx6ppQcbqDpxKJRWILUcj0S3pDI/5DJPfVtAZhCkjaxBLBX9L2QeUjRk1Ls0riaJ bZLrnUueNOq6tuHrx0CJ6yk13oYZF0mkryGmRbVuJN2JRRjDJGCJeQMlfXkEodLAMq0yfBw+Ao1B QN+yrqUZgLHR7fnUtCHgY/AooobVsCCdvKrnybbF9nNDsDb+DzXZthkrEqfGLsZxnp6PE9EMYC1W bxCgyZrHJ2kIVHs+YApnrIslYPkGe56iDwj6QFx+40y982V+zGVe6PlsCBZZHmz+H2pyvA2QJQ6k 8bq8nZVqb7Wda0EMrXeyQP6LqSSBqm0jrcvI14Cs/2V7nqGPA2qU1aUaJ/VOtT/I3o/oep5GHksN nNZylHwPu7YLRFIuBuNG/m+vbs8zcz6r50H6k7mHBTWu1t1viKy2TdH624u3iS39lUX+Gmjx2+jo Zbs9vYd1IX+k3vkF+CWjd+lvtdnzece5675KwC1L1UwaSwTGmvk0Tj4WXyWP9VxB6KVtO/hvthlv kxcjWeSbj62xO0CJzTfcxxd5Qo9M7UgMfsN4idgal7gedZmPPdBkfkf6pIxWZU68zaq6Ps7T9WvG vdRztl306+LDt+2r78c9+J/E29jiWB43GHuzbIyMy7Zsv65xPpllPt7mfx1vs0dDNbkfeiXibY5V O3iHPzH8UD2/dLzNEdhVlZHpIYSxswVXBXv+H+5mqSUdHbtDXpmrmWT+qLrxNnH8CLg3nR1NsEvk ZZYBJa8d5z/Actzz6sh8ejTBjpI3yvyjzf9TdrxNrPTMmHWekHnyHCSQdKfx1KXv8lN3ZfLJsQyz 5I+Oa1D5p7g47hL1PAA55LMy/5o+B4m5W1uMfxeQt6pPh+yTn/j6HZCzRAYP1pb5R5384z+sFTbG 7pTon0+juwR5sz+D2jav4jlICnnaL60e73jEPrmpw66cyRjYlygQVyUvjmWo6XnWqVOLs7E75cp8 Mu7AmPf9jUWsStInxn3Yx/igX2bkOUivFH1CfgjGHd6FjmfGIAjp6bgb0w/OC8ljHUB2ooWviXGN 6bAgIaovaYEaOMT329MAgGEINR1nS/XPOnluy2dl/hjG/9aCOO4cqaONgLL98yDODHeizIueeyLz yXOQXmXycDgmrOn7PpqMmYbpBPQzDGADBDAeZyeI8kB0K537VgJUX4K3jx5x0fsA9fGWW4Xg680v 37+/vX3XtU3aP6Dp+aMOUzBHL/xo5bF0yvTPg1iLL+HjxqRD/KRaD+v5WfwinoOUkJ+SqYQ81i4d 1tUUNOinMYbDIcAnIDuRavXb8ail6nmxhG9/gn/IlvPI1z9j6G88fcno+UR/K7ZNPWBNaxI6yzv9 03id8ux5AIAILzAM8SOxx7bNxQluYGOOX+h5iXyYLA/HU/qBoDuOySsz0Ug549uyFkjNJWkJn6Nb BuAQACv5+uD7lzc5fcfpknw1Uz0PTPZ8LYk1kMwMmUFpMg/ssSpAyk9k/g94+ZNtYVuCfDeRea5s CEQAgyH4mZkIU7Ls9MsyL5bw7U/AHELUtZP/IsSdkf/yZfAFf335nG/PB9oIRVq8TokyLy4xoMeq SF91bs//geI5SBr5Pn0H/S7T88Ma+2BbJcA37IFpQrKNWhmrUpV5ouenwT3Zj13b1CVtM0iWvsnk s/Z8raZFEgNpEMGK9MNSe/5PDep6nn7mY3BLQnexoTOkC8YTSD/wGp+oLjlZ+kQLFJJnVxL9RNi2 uY/gYgwmRS1sU2lh3/LteSWgf6vxNnXD/8fM/Z3MVxkw21eLO13H2i4j1ZtQIy+OQ7PnWWimtc+2 Xwn/PI9HTP3cthvSSqW3onvY/JibEmIPcsefX9E/X1XyR8ozVQweM3t8TgViD+rHu9kz8pb8IyZ9 btZH90kVjD+fnT7azbCNN1Psef7oT2X7bZZ9ptSOdgW+OfQPblXm+40Oef2LX/jXFL6SBKDweVa+ Ci+X8ILjo+Q/uG/yX0LlF/n/yj9kalQbNf9txs1WB7/wlDSPfzdPHpWUouIKKfmRU7GVDpymt3U3 sGHy5SVP3pP35D15T96T9+Q9eU/+f0q+2xzsb+qttlqzuwXyzcvLH/ubequuOCibfP/y8nLQvPXa RpmbNC9/PITlkh/8+NHxet6wgeavH/11yed69Hs/BtEm06i4w0DJHzkVW6ljgqTnt+dVN4CbiCWq 5tozIlLv117bNt23+sob6PVK1TZ7Tn6dDTA0nrwn78l78p68J+/Je/LbJH95mWyg+3BpykKmrIz1 6ckvmwa9lPxl79KUhQxZmRvWnie/XLob9FLyzZ6CN81CmSzDhePJL5fOHnqpzLd6TRmvyEJ6VlXJ 09DDZQ4f0HcyHak5y5O/eaCsLqmo2mdapGzjpo44+eubGyTjFVlIzepdNm56D4NrkjF4YFO9HvMU fDD59CuPtWUO5Mo8yK6QJT/odcnXrwWWxAf7DC27oCTpBga/bhXyIgupWb2Hh0HzsjcgZwRPDX7d 4BN502tWhDwalkg+yCV/RiBcPmChXvwa1M0zqDcQB3DJNHkTIV2lsPmGmtXrneHz8vBA1jlLsquh bSTJB6mU8im6RCymE0zbJNORdCa4HgK8KF+PbYNnR0DdE07YALzuEZKNXiNnRsF7S61GI3k9q3fD FDvWaze3JJH8ipEH6VzAWQ0VtS6wB2I6AshAnv2o67HzRc/UMJIuncGvRaN3hnkMegvbzMNCxXv5 cIYZ9i5vMWmSzFnShUDI93i6qTB5oPHS1bYEFSAbeXU9VhJEERN9iXyjVx88EMo3l3kzCvkEYsLT nKWTv6k3GvXG50alyA+lj418IPFNpgONfMDLBUBbTyUPhkLdLHqDmwFRv0QB22cU8o1mHTPsfccQ KU05q5FmaeRvWDPdONsPmTdrG6Rrm6zMS8Y1sTTueje9u9wZhWSEbHpenxTkB7S1aJLWujrkAXIk DyTyy+j5tA3Pahtyx4nNxxvWFFpnmo3lyZN1BPlrfLOFrcqHW3ISBj+rdCcl2TaKtVNo24jVIpCs ApAwkAR5g22DupTsgKkU60yCdRny5FuQR3fkTuoLaXobD7/O9sJ7ABzuYTl57yX25PfHY0YViK3e ieLx5HfWP+/Je/KevCfvybuSBwVO4YLuEpBP3tLbIpMHK0IDBXzUrptdkvlgA+QDB5kPVsQeFPAJ LNOm6leL/CZkHjiQByuSd5B55Hphf5S2CYRSAOJWH6Q/AQJyDkDZ3pMo6f9gxxKpnSlyRwn3LlBP JycfCP8OLRHw4gFSulV4f0AyT9ZjGxjy9QMkHwWQ9il58IiHNK032y7zmI55iW2SB8DgI0sqL+WL j+RVA1onFKuQzcnGfyK21UjeQnbrQF9R7fcCpvoieV2gTit10eottr5V8splRySH++jVA5d7q5TL lbsLpM0k5IN0m6rPM2J5tN7SvsQ0e8ltDVBUg9QHoNYVyXUEYhpoFc4eGkAfSh4AAMzVA8qFr/sz I2nFrMwrciy0jdDzQPVQp+TF3kCGvKTCADCQB3K3mLhc1OKGrX8MeYNHPnNNqJ18hstik+SRoU8G GXeZT17VNsh0aB9OHoC8SzKr58Ux5pDXuBaRz5EAM3lgOAkFer562ob3lzILYCiuw6Svlf1K3ShD btsoMs8tiEC7TIZcYQWynpf1FN9uosPTeVEEyPWUyijmC98+kKZFmwP0ZhWA4CNkfjveA7Ax7wHw fhtPfgfIZ7w3/2ePWc/7Ks0bGJT8T+TBr0tP3rSBJh/uo7xRVn78uoxvPXl1A93WAItkWC55cnIv Bz6p6fLyR3Opc7ramE6Dmx8+qely0EXlk/d6HvkR5Dx5T96T9+Q9eU/ek/fki4r9J8AAWZq0CfCy pGsAAAAASUVORK5CYII= --fiTMvgDIfC4A2AREpmdYhw-- From owner-namedroppers@ops.ietf.org Fri May 15 03:23:38 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF6D73A6D47; Fri, 15 May 2009 03:23:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.439 X-Spam-Level: ** X-Spam-Status: No, score=2.439 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99aPpiBq-Ucs; Fri, 15 May 2009 03:23:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DFF033A6A66; Fri, 15 May 2009 03:23:37 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4uTZ-000KSh-4B for namedroppers-data0@psg.com; Fri, 15 May 2009 10:17:13 +0000 Received: from [94.142.245.109] (helo=mx.pipe.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4uTM-000KRS-Iq for namedroppers@ops.ietf.org; Fri, 15 May 2009 10:17:06 +0000 Received: (qmail 48635 invoked by uid 80); 15 May 2009 10:16:57 -0000 Received: from 87.249.99.109 (SquirrelMail authenticated user bit@pipe.nl) by mx.pipe.nl with HTTP; Fri, 15 May 2009 12:16:57 +0200 (CEST) Message-ID: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> Date: Fri, 15 May 2009 12:16:57 +0200 (CEST) Subject: [dnsext] Support for EDSN0 PING From: "Bart Smit" To: namedroppers@ops.ietf.org User-Agent: SquirrelMail/1.4.17 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Dear workgroup, As a relative outsider, but with experience in DNS operations and security, I've been following the discussions in this wg since around 2005 and I wonder why the renewed interest in forgery resilience work in the wake of Kaminsky has subsided so fast. I really had expected that last year's experience of having to rush out a solution would serve as a sort of reality check to parties involved, but this effect is markedly absent. In fact, I now even sense the opposite. A prominent wg member recently suggested that all such (non-dnssec) work should be swept into the rubbish bin. I find this incomprehensible and somewhat disturbing. For this reason, although I hardly feel qualified (in wg context that is) to do review, I would like to express my support for adopting draft-hubert-ulevitch-edns-ping.txt as a working group document. And yes, I'll gladly do review. There is an interest in being able to use the ping option (it's already being done), so there's a clear need to formalize the option code. Moreover, suggested use of this option strongly works for meeting forgery resilience demands, so I don't see why the document should not be adopted, or why it should be worth all the heated debate. It describes an option, support for which is entirely optional. This really ought to be uncontroversial. Bart Smit Network Engineer at BKWI, The Netherlands (on personal title) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 05:10:13 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3F1C3A70D0; Fri, 15 May 2009 05:10:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.546 X-Spam-Level: X-Spam-Status: No, score=-102.546 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnW8lOzVs+Av; Fri, 15 May 2009 05:10:11 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 68A943A6768; Fri, 15 May 2009 05:10:11 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4wBl-0003GL-6z for namedroppers-data0@psg.com; Fri, 15 May 2009 12:06:57 +0000 Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4wBW-0003F2-Et for namedroppers@ops.ietf.org; Fri, 15 May 2009 12:06:50 +0000 Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n4FC6aQ1011390 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 15 May 2009 14:06:39 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl) Message-ID: <4A0D5ACC.2070704@nlnetlabs.nl> Date: Fri, 15 May 2009 14:06:36 +0200 From: "W.C.A. Wijngaards" User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: Bart Smit CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> In-Reply-To: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 15 May 2009 14:06:39 +0200 (CEST) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bart, Bart Smit wrote: > In fact, I now even sense the opposite. A prominent wg member recently > suggested that all such (non-dnssec) work should be swept into the rubbish > bin. I find this incomprehensible and somewhat disturbing. There is a fair number of submissions for forgery resilience, with different trade offs. The statement (IMHO) reflects an opinion on the tradeoffs: deploying a cryptographic measure may be less work than debating and deploying one after the other weak and temporary measure, with cryptography (DNSSEC) providing much better data protection too. > For this reason, although I hardly feel qualified (in wg context that is) > to do review, I would like to express my support for adopting > draft-hubert-ulevitch-edns-ping.txt as a working group document. And yes, > I'll gladly do review. You note one of the proposals. But this proposal is badly underspecified, and as it currently stands, does not seem to really work. Is there a reason why you support this proposal? > There is an interest in being able to use the ping option (it's already > being done), so there's a clear need to formalize the option code. EDNS is stripped off easily. So the current EDNS PING implementation(s) are likely unsafe. How to protect the PING option is not easy or obvious (for normal mortals). This is the basis of the dialogue you quote, one is saying EDNS is stripped easily, the other is saying it works - but without providing details that could prove the case. Based on the information I have so far, I think EDNS PING is not safe, and therefore I agree with Paul. > Moreover, suggested use of this option strongly works for meeting forgery > resilience demands, so I don't see why the document should not be adopted, > or why it should be worth all the heated debate. It describes an option, > support for which is entirely optional. This really ought to be > uncontroversial. Examination of forgery resilience proposals is fine with me, and if they actually add security, I would gladly adopt and implement (if the costs associated with it are not excessive or antisocial, of course). I want to point out that I was one of the first implementors of 0x20; a proposal that protects only some queries, but is very light weight, and which had already 99.99% support from authority servers. However, I fail to see why you want a proposal that does not work? If it does work, I would appreciate documentation. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoNWswACgkQkDLqNwOhpPgvrwCeJ9/RkePJsK+o1FW3IOx7IuGL ID8AmgKXknIGPEJaEiHE71ZwehX90VPh =NkCL -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 05:14:24 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE22D3A6868; Fri, 15 May 2009 05:14:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.625 X-Spam-Level: X-Spam-Status: No, score=-99.625 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id upQiW3UdNBmF; Fri, 15 May 2009 05:14:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 756433A70C9; Fri, 15 May 2009 05:14:23 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4wHL-0003jJ-Kj for namedroppers-data0@psg.com; Fri, 15 May 2009 12:12:43 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4wH2-0003hG-EX for namedroppers@ops.ietf.org; Fri, 15 May 2009 12:12:36 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4FCCLgZ010080 for ; Fri, 15 May 2009 08:12:21 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4FCCLpc010079 for namedroppers@ops.ietf.org; Fri, 15 May 2009 08:12:21 -0400 (EDT) (envelope-from namedroppers) Received: from [69.17.117.7] (helo=mail5.sea5.speakeasy.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4oaC-000IzY-G8 for namedroppers@ops.ietf.org; Fri, 15 May 2009 03:59:46 +0000 Received: (qmail 23215 invoked from network); 15 May 2009 03:59:32 -0000 Received: from dsl092-066-189.bos1.dsl.speakeasy.net (HELO spaceman.local) (federico@[66.92.66.189]) (envelope-sender ) by mail5.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 15 May 2009 03:59:32 -0000 Message-ID: <4A0CE8A1.9010607@acm.org> Date: Thu, 14 May 2009 23:59:29 -0400 From: Federico Lucifredi User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Antoin Verschuren CC: namedroppers Subject: Re: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> <1242230756.8625.2953.camel@shane-asus-laptop> <850A39016FA57A4887C0AA3C8085F949C4FBFA@KAEVS1.SIDN.local> In-Reply-To: <850A39016FA57A4887C0AA3C8085F949C4FBFA@KAEVS1.SIDN.local> X-Enigmail-Version: 0.95.7 OpenPGP: url=http://keyserver.linux.it/pks/lookup?op=get&search=0xAEEBEC184A73884C Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] At athe cost of sounding flame-y (not my intention), I must point out that as far as complexity and pennies go, DNSSEC is the unrivaled champion. Yes, apparently we have no better solution (maybe DNSCURVE? I have not looked at that yet), but arguments against cheap hardening based on trivial coat and overhead (compared to DNSSEC) seem very unfair. Best -F Antoin Verschuren wrote: > 0x20 helps in some cases, but at a small cost. > It's a cost we can avoid if we deploy DNSSEC. > Being Dutch and on the penny :-), I'm in favor of saving every penny we can. > > To be more precise, the cost of 0x20 is: > -Increased complexity of the protocol, meaning harder to debug and to understand DNS > -once deployed, no future protocol extension that needs the case (in)sensivity can be deployed > -Increased code and computation > > All of this on top of the cost of DNSSEC. > > Antoin Verschuren > > Technical Policy Advisor > SIDN > Utrechtseweg 310 > PO Box 5022 > 6802 EA Arnhem > The Netherlands > > T +31 26 3525500 > F +31 26 3525505 > M +31 6 23368970 > E antoin.verschuren@sidn.nl > W http://www.sidn.nl/ > >> -----Original Message----- >> From: owner-namedroppers@ops.ietf.org [mailto:owner- >> namedroppers@ops.ietf.org] On Behalf Of Shane Kerr >> Sent: Wednesday, May 13, 2009 6:06 PM >> To: namedroppers >> Subject: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience and >> meeting in Stockholm >> >> On Wed, 2009-05-13 at 18:48 +0300, Joe Abley wrote: >>> On 13-May-2009, at 18:42, Florian Weimer wrote: >>> >>>> There's also 123. or 1234.EXAMPLE. Unfortunately, there's an >>>> unlimited supply of those names. >>> So are you saying that there's no point specifying something unless it >>> will surpass a threshold of usefulness for all possible QNAMEs? >>> >>> Or are you saying that most QNAMEs are numeric, or otherwise don't >>> benefit from 0x20? >>> >>> Or something else? >>> >>> Just trying to understand your objection. >> Me too. >> >> Root gets no extra protection. We get it. Really. It makes sense. >> >> Yes we know that DNSSEC is the best solution. Yes we should encourage >> people to sign their domains and encourage people to run validating >> resolvers. >> >> None of this means that 0x20 should not be adopted. 0x20 helps where it >> helps, and doesn't help in other places. We should adopt it because it >> improves security with a minimal cost. >> >> Full disclosure: my vanity domain has 17 alphabetic characters, so I >> would be *thrilled* at the extra 17 bits of entropy. Finally a benefit >> to such a cumbersome name!!! :) >> >> -- >> Shane >> >> >> -- >> to unsubscribe send a message to namedroppers-request@ops.ietf.org with >> the word 'unsubscribe' in a single line as the message text body. >> archive: > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: -- _________________________________________ -- "'Problem' is a bleak word for challenge" - Richard Fish (Federico L. Lucifredi) - flucifredi@acm.org - GnuPG 0x4A73884C -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 06:00:10 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A1713A6A53; Fri, 15 May 2009 06:00:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.34 X-Spam-Level: ** X-Spam-Status: No, score=2.34 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_MODEMCABLE=0.768, HELO_MISMATCH_COM=0.553, RCVD_NUMERIC_HELO=2.067, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v4aIJMyCEq5p; Fri, 15 May 2009 06:00:09 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 569C23A69D8; Fri, 15 May 2009 06:00:09 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4wyk-0008JK-2Q for namedroppers-data0@psg.com; Fri, 15 May 2009 12:57:34 +0000 Received: from [208.17.35.58] (helo=paoakoavas09.cable.comcast.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4wyX-0008I0-Ie for namedroppers@ops.ietf.org; Fri, 15 May 2009 12:57:27 +0000 Received: from ([24.40.15.92]) by paoakoavas09.cable.comcast.com with ESMTP id KP-NTF18.71405357; Fri, 15 May 2009 08:57:03 -0400 Received: from PACDCEXCMB06.cable.comcast.com ([24.40.15.22]) by PACDCEXCSMTP03.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 15 May 2009 08:57:03 -0400 Received: from 147.191.227.77 ([147.191.227.77]) by PACDCEXCMB06.cable.comcast.com ([24.40.15.22]) with Microsoft Exchange Server HTTP-DAV ; Fri, 15 May 2009 12:56:33 +0000 User-Agent: Microsoft-Entourage/12.17.0.090302 Date: Fri, 15 May 2009 08:56:29 -0400 Subject: Re: [dnsext] Support for EDSN0 PING From: "Griffiths, Chris" To: "W.C.A. Wijngaards" , Bart Smit , Paul Vixie CC: IETF Dnsext Message-ID: Thread-Topic: [dnsext] Support for EDSN0 PING Thread-Index: AcnVXJA22jbqX2yJQEajEsA2//wnYg== In-Reply-To: <4A0D5ACC.2070704@nlnetlabs.nl> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-OriginalArrivalTime: 15 May 2009 12:57:03.0126 (UTC) FILETIME=[A48E3360:01C9D55C] Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: I have read through the EDNS0 ping draft and while it is an interesting proposal, I do not see how this could be easily implemented and in most cases it would probably be ignored and not have a large adoption rate. I am concentrating my time these days examining deployment and operational scenarios for DNSSEC since this seems like the best long term approach for DNS security. I am open to other proposals that are light weight and make sense and can be easily implemented and stand a chance for adoption in the real world. I do not support this draft in its current form and agree with Wouter and Paul on their comments, I think we should look at other proposal and would be happy to review ones that come up. On 5/15/09 8:06 AM, "W.C.A. Wijngaards" wrote: > Bart Smit wrote: >> In fact, I now even sense the opposite. A prominent wg member recently >> suggested that all such (non-dnssec) work should be swept into the rubbish >> bin. I find this incomprehensible and somewhat disturbing. > > There is a fair number of submissions for forgery resilience, with > different trade offs. The statement (IMHO) reflects an opinion on the > tradeoffs: deploying a cryptographic measure may be less work than > debating and deploying one after the other weak and temporary measure, > with cryptography (DNSSEC) providing much better data protection too. > >> For this reason, although I hardly feel qualified (in wg context that is) >> to do review, I would like to express my support for adopting >> draft-hubert-ulevitch-edns-ping.txt as a working group document. And yes, >> I'll gladly do review. > > You note one of the proposals. But this proposal is badly > underspecified, and as it currently stands, does not seem to really > work. Is there a reason why you support this proposal? > >> There is an interest in being able to use the ping option (it's already >> being done), so there's a clear need to formalize the option code. > > EDNS is stripped off easily. So the current EDNS PING implementation(s) > are likely unsafe. How to protect the PING option is not easy or > obvious (for normal mortals). > > This is the basis of the dialogue you quote, one is saying EDNS is > stripped easily, the other is saying it works - but without providing > details that could prove the case. > > Based on the information I have so far, I think EDNS PING is not safe, > and therefore I agree with Paul. > >> Moreover, suggested use of this option strongly works for meeting forgery >> resilience demands, so I don't see why the document should not be adopted, >> or why it should be worth all the heated debate. It describes an option, >> support for which is entirely optional. This really ought to be >> uncontroversial. > > Examination of forgery resilience proposals is fine with me, and if they > actually add security, I would gladly adopt and implement (if the costs > associated with it are not excessive or antisocial, of course). I want > to point out that I was one of the first implementors of 0x20; a > proposal that protects only some queries, but is very light weight, and > which had already 99.99% support from authority servers. > > However, I fail to see why you want a proposal that does not work? > If it does work, I would appreciate documentation. > > Best regards, > Wouter -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 06:24:51 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3C463A691E; Fri, 15 May 2009 06:24:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9XU8lVcURhj; Fri, 15 May 2009 06:24:51 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D4FF83A6837; Fri, 15 May 2009 06:24:50 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4xLa-000AIb-6X for namedroppers-data0@psg.com; Fri, 15 May 2009 13:21:10 +0000 Received: from [2001:888:1037:1337::53:53] (helo=burnout.bakker.net) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4xLK-000AGr-Gb for namedroppers@ops.ietf.org; Fri, 15 May 2009 13:21:03 +0000 Received: by burnout.bakker.net (Postfix, from userid 910) id C1146F1842; Fri, 15 May 2009 15:20:52 +0200 (CEST) Date: Fri, 15 May 2009 15:20:52 +0200 From: niels=ietfops@bakker.net To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING Message-ID: <20090515132052.GK84365@burnout.tpb.net> Mail-Followup-To: namedroppers@ops.ietf.org References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <4A0D5ACC.2070704@nlnetlabs.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <4A0D5ACC.2070704@nlnetlabs.nl> User-Agent: Mutt/1.5.19 (2009-01-05) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * wouter@NLnetLabs.nl (W.C.A. Wijngaards) [Fri 15 May 2009, 14:32 CEST]: >EDNS is stripped off easily. So the current EDNS PING implementation(s) >are likely unsafe. How to protect the PING option is not easy or >obvious (for normal mortals). Stephane Bortzmeyer wrote in http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00551.html that resolvers can detect downgrade attacks. With e.g. a fallback to TCP it becomes very hard to race such a resolver. >This is the basis of the dialogue you quote, one is saying EDNS is >stripped easily, the other is saying it works - but without providing >details that could prove the case. Bart Smit (whom you quoted) did not quote anybody or anything in his email. What are you talking about? -- Niels. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 06:33:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A4983A6889; Fri, 15 May 2009 06:33:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.048 X-Spam-Level: X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3u3v+hu7guA; Fri, 15 May 2009 06:33:48 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 24CB23A6837; Fri, 15 May 2009 06:32:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4xUP-000B2x-Au for namedroppers-data0@psg.com; Fri, 15 May 2009 13:30:17 +0000 Received: from [199.212.90.4] (helo=monster.hopcount.ca) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4xU4-000B0w-72 for namedroppers@ops.ietf.org; Fri, 15 May 2009 13:30:10 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=hopcount.ca; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=OlfTF3IFqGAnvmWZRo/mY/bjU8muakR+5mFhk99NN0B+9BrnOp7CE9x19HfUiLUSF6CYbdL9mEYSzp6DPbCG+599io0xst8BJGUI54WFKbDilsQI4ATSFjcrcZszAVx2; Received: from [196.200.216.86] (helo=wifi-216-86.mtg.afnog.org) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4xU0-000FK3-Uq; Fri, 15 May 2009 13:29:53 +0000 Cc: Bart Smit , namedroppers@ops.ietf.org Message-Id: From: Joe Abley To: W.C.A. Wijngaards In-Reply-To: <4A0D5ACC.2070704@nlnetlabs.nl> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Support for EDSN0 PING Date: Fri, 15 May 2009 16:29:50 +0300 References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <4A0D5ACC.2070704@nlnetlabs.nl> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 15-May-2009, at 15:06, W.C.A. Wijngaards wrote: > EDNS is stripped off easily. So the current EDNS PING > implementation(s) > are likely unsafe. How to protect the PING option is not easy or > obvious (for normal mortals). To avoid a spoofed UDP fallback form ENDS0, perhaps a client could encode its request with an EDNS0 ping payload, and ignore any apparent attempt to fall back to UDP without EDNS0 (or a reply without the additional matching EDNS0 ping bits present), falling back instead to TCP if necessary. It might be necessary to "reject" rather than "ignore" above in order for transactions to complete promptly. The attack on the client in this case would be to force the fallback to TCP, and cause the client to suffer from the increased transport- layer state. If the above handwaving could be made to look like it was incrementally deployable, given the relatively small number of codebases involved on real-world recursive and authoritative servers, it's not obvious that this is undeployable. Quite possibly that's a big "if", though. Joe -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 06:57:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECBA73A68AC; Fri, 15 May 2009 06:57:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.463 X-Spam-Level: X-Spam-Status: No, score=-0.463 tagged_above=-999 required=5 tests=[AWL=-0.863, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zS8Uld93aPCI; Fri, 15 May 2009 06:57:01 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 220473A6AE6; Fri, 15 May 2009 06:57:01 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4xrs-000DtF-S3 for namedroppers-data0@psg.com; Fri, 15 May 2009 13:54:32 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4xrb-000DlW-Oi for namedroppers@ops.ietf.org; Fri, 15 May 2009 13:54:24 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id F37D82FE9582 for ; Fri, 15 May 2009 13:54:13 +0000 (UTC) Date: Fri, 15 May 2009 09:54:12 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Encouragement of debate (was: [dnsext] Support for EDSN0 PING) Message-ID: <20090515135412.GA2984@shinkuro.com> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Dear colleagues, On Fri, May 15, 2009 at 12:16:57PM +0200, Bart Smit wrote: > Dear workgroup, [&c.] Given that some of the recent debate on the forgery resilience topic has become somewhat heated, I want to hold up the first few messages in the thread started by Bart Smit as an excellent example of how we might come to some agreement on the topic. In this thread, there are people in apparently strong disagreement over what exactly the WG ought to do. But we are getting detailed arguments that specifically address previous comments on the topic, and refreshingly few side remarks about the individuals involved. Please keep it up! If we can maintain this quality of respectful debate, I predict that we will be able to come to a conclusion that everyone can at least accept in a cold intellectual sense, even if some of us come away unhappy that our preferred mechanisms were not adopted. I know it is sometimes painful to go over the same ground again. But remember, the point is not merely to win the debate, but to expose to technical judgement every issue, flaw, and strength of each proposal that we can. Thanks! A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 07:24:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DD383A68D8; Fri, 15 May 2009 07:24:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.695 X-Spam-Level: * X-Spam-Status: No, score=1.695 tagged_above=-999 required=5 tests=[AWL=0.745, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5D9KVkYGxGof; Fri, 15 May 2009 07:24:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 69E1D28C13F; Fri, 15 May 2009 07:24:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4yHj-000GLD-St for namedroppers-data0@psg.com; Fri, 15 May 2009 14:21:15 +0000 Received: from [94.142.245.109] (helo=mx.pipe.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4yHX-000GK8-CE for namedroppers@ops.ietf.org; Fri, 15 May 2009 14:21:09 +0000 Received: (qmail 55821 invoked by uid 80); 15 May 2009 14:21:00 -0000 Received: from 87.249.99.109 (SquirrelMail authenticated user bit@pipe.nl) by mx.pipe.nl with HTTP; Fri, 15 May 2009 16:21:00 +0200 (CEST) Message-ID: <198ddd48096f047be4eedc14e80cb73e.squirrel@mx.pipe.nl> In-Reply-To: <4A0D5ACC.2070704@nlnetlabs.nl> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <4A0D5ACC.2070704@nlnetlabs.nl> Date: Fri, 15 May 2009 16:21:00 +0200 (CEST) Subject: Re: [dnsext] Support for EDSN0 PING From: "Bart Smit" To: "W.C.A. Wijngaards" Cc: "Bart Smit" , namedroppers@ops.ietf.org User-Agent: SquirrelMail/1.4.17 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: W.C.A. Wijngaards wrote: > You note one of the proposals. But this proposal is badly > underspecified, and as it currently stands, does not seem to really > work. Is there a reason why you support this proposal? Given that the urgent desireability of adding sufficient entropy to queries has been established, I see both 0x20 and ping as appropriate measures. 0x20 is the quick but beautiful hack that piggybacks some bits onto a query and happens to mostly work (but adds a suboptimal amount of entropy), whereas -ping aims to fill the entropy gap by using a separate field through an existing extension mechanism. Implementation (server-side) seems easy enough. All complexity, however limited, resides in the client. I would support both ping and 0x20, but as you may sense from the above, I see ping as more final. I expect that for both mechanisms, the client strategies for detecting support and fallback are somewhat similar, and would argue that they are largely up to the client. Possible strategies and the reasons for leaving them out of the original draft have been discussed recently. These discussions have convinced me that it is quite doable to get this right. Even more important: failure to get the client right mostly impacts the client itself. The incentives are placed just right, so I don't see a too stringent need to specify this in detail. Worries about huge amounts of re-querying traffic have not convinced me at all. > EDNS is stripped off easily. So the current EDNS PING implementation(s) > are likely unsafe. How to protect the PING option is not easy or > obvious (for normal mortals). I'm not sure I understand you. We're talking forgery resilience. If your adversary is in a position to strip off EDNS from existing packets, you have much bigger worries than forgery. If you mean downgrade attacks, then see above. > Examination of forgery resilience proposals is fine with me, and if they > actually add security, I would gladly adopt and implement (if the costs > associated with it are not excessive or antisocial, of course). I want > to point out that I was one of the first implementors of 0x20; a > proposal that protects only some queries, but is very light weight, and > which had already 99.99% support from authority servers. Good. But then I still don't understand your reasons for not supporting the draft. Is it that I misunderstood your point about EDNS being unsafe? regards, Bart -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 07:41:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E57613A70E8; Fri, 15 May 2009 07:41:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.317 X-Spam-Level: X-Spam-Status: No, score=-2.317 tagged_above=-999 required=5 tests=[AWL=0.282, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9RlP53MLrcJ; Fri, 15 May 2009 07:41:48 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D8C483A70ED; Fri, 15 May 2009 07:41:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4yYf-000Hub-Mq for namedroppers-data0@psg.com; Fri, 15 May 2009 14:38:45 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4yYN-000Ht6-OD for namedroppers@ops.ietf.org; Fri, 15 May 2009 14:38:38 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 55CE0A20FA; Fri, 15 May 2009 14:38:22 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "Bart Smit" cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING In-Reply-To: Your message of "Fri, 15 May 2009 12:16:57 +0200." <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Fri, 15 May 2009 14:38:22 +0000 Message-ID: <19043.1242398302@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Fri, 15 May 2009 12:16:57 +0200 (CEST) > From: "Bart Smit" > > As a relative outsider, but with experience in DNS operations and > security, I've been following the discussions in this wg since around > 2005 and I wonder why the renewed interest in forgery resilience work in > the wake of Kaminsky has subsided so fast. I really had expected that > last year's experience of having to rush out a solution would serve as a > sort of reality check to parties involved, but this effect is markedly > absent. In fact, I now even sense the opposite. A prominent wg member > recently suggested that all such (non-dnssec) work should be swept into > the rubbish bin. I find this incomprehensible and somewhat disturbing. since i mentioned a rubbish bin recently but the above is not a fair summary let me say that TKEY-DH plus TSIG is an existing (already specified but not widely implemented) method of holding session state between pairwise UDP/53 speakers that would absolutely and totally protect hop by hop communications between cooperating initiator/responder pairs. the stuff that i directed toward the rubbish bin was every other current proposal, including my own (dns-0x20). > For this reason, although I hardly feel qualified (in wg context that is) > to do review, I would like to express my support for adopting > draft-hubert-ulevitch-edns-ping.txt as a working group document. And yes, > I'll gladly do review. PING is a layering violation for EDNS and does not add any real security. (as the author of EDNS [RFC2671] i already tried to add an extended QID and found that it could not be done; nothing as changed since RFC2671 came out.) > There is an interest in being able to use the ping option (it's already > being done), so there's a clear need to formalize the option code. > Moreover, suggested use of this option strongly works for meeting forgery > resilience demands, so I don't see why the document should not be adopted, > or why it should be worth all the heated debate. It describes an option, > support for which is entirely optional. This really ought to be > uncontroversial. it's controversial because it only works when it works, and when it fails, there's no distinction between an attack and a failure. we were not idiots back in the old days when EDNS was being crafted. we knew we needed a larger QID. we tried hard to include it. there's no way to do it and still properly negotiate EDNS. secure protocol engineering is apparently not as easy as it looks. > Bart Smit > > Network Engineer at BKWI, The Netherlands > (on personal title) paul vixie author, RFC 2671, http://www.ietf.org/rfc/rfc2671.txt co-author, DNS-0x20, http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 08:02:23 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DAB4E3A6B0C; Fri, 15 May 2009 08:02:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.063 X-Spam-Level: X-Spam-Status: No, score=-1.063 tagged_above=-999 required=5 tests=[AWL=-0.868, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DyUXMt8clwr; Fri, 15 May 2009 08:02:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E949F3A6A7F; Fri, 15 May 2009 08:02:22 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4ytN-000KBh-AC for namedroppers-data0@psg.com; Fri, 15 May 2009 15:00:09 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4yt8-000K8r-Vo for namedroppers@ops.ietf.org; Fri, 15 May 2009 15:00:03 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4FExr5c012251 for ; Fri, 15 May 2009 10:59:53 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905151459.n4FExr5c012251@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 15 May 2009 10:52:08 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: [dnsext] Point of order Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: The chairs want to clarify few issues: The standard for adopting a document is much lower than the standard for advancing a document. Accepting a document is the WG saying we think there might be some merit to the idea. Advancing a document is the WG saying we have examined the issues, studied the implications and think this for the better. Accepting a document that is a rough idea is fine, documents should improve from WG feedback. Once a document is a WG document the editor of the document MUST reflect the will of the WG in the document even if he/she disagrees. Adopting an document is NO guarantee the document will advance as the WG may at any time decide to kill the document. We have a restriction on adopting documents, which is that we have at least five committed reviewers. This does not commit those reviewers to approving the document in the end. It merely is a commitment on the part of those reviewers to the editor(s) and WG chairs that they will in fact perform the review. We have this restriction just so WG documents don't end up languishing at the end for want of final review. Secondly due to our current charter adding any of the documents listed in Andrews message on further FR documents: http://psg.com/lists/namedroppers/namedroppers.2009/msg00676.html and/or adding any GOST algorithm support http://psg.com/lists/namedroppers/namedroppers.2009/msg00422.html will require a charter update. The chairs plan on submitting a new charter to the WG next week once we have determined the list of drafts and topics to be admitted. Olafur (and Andrew) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 08:02:26 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E6D33A6B0C; Fri, 15 May 2009 08:02:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.331 X-Spam-Level: X-Spam-Status: No, score=-2.331 tagged_above=-999 required=5 tests=[AWL=0.268, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htZYZLx3TOYi; Fri, 15 May 2009 08:02:25 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9FCB03A6939; Fri, 15 May 2009 08:02:25 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4ys0-000JzS-HX for namedroppers-data0@psg.com; Fri, 15 May 2009 14:58:44 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4yrm-000Jwt-Bz for namedroppers@ops.ietf.org; Fri, 15 May 2009 14:58:37 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 58338A2105; Fri, 15 May 2009 14:58:23 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: niels=ietfops@bakker.net cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING In-Reply-To: Your message of "Fri, 15 May 2009 15:20:52 +0200." <20090515132052.GK84365@burnout.tpb.net> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <4A0D5ACC.2070704@nlnetlabs.nl> <20090515132052.GK84365@burnout.tpb.net> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Fri, 15 May 2009 14:58:23 +0000 Message-ID: <19931.1242399503@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Fri, 15 May 2009 15:20:52 +0200 > From: niels=ietfops@bakker.net > > Stephane Bortzmeyer wrote in > http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00551.html > that resolvers can detect downgrade attacks. With e.g. a fallback to TCP > it becomes very hard to race such a resolver. in http://www.ietf.org/rfc/rfc1035.txt we see the following text: +--- | 4.2.2. TCP usage | | Messages sent over TCP connections use server port 53 (decimal). The | message is prefixed with a two byte length field which gives the message | length, excluding the two byte length field. This length field allows | the low-level processing to assemble a complete message before beginning | to parse it. | | Several connection management policies are recommended: | | - The server should not block other activities waiting for TCP | data. | | - The server should support multiple connections. | | - The server should assume that the client will initiate | connection closing, and should delay closing its end of the | connection until all outstanding client requests have been | satisfied. | | - If the server needs to close a dormant connection to reclaim | resources, it should wait until the connection has been idle | for a period on the order of two minutes. In particular, the | server should allow the SOA and AXFR request sequence (which | begins a refresh operation) to be made on a single connection. | Since the server would be unable to answer queries anyway, a | unilateral close or reset may be used instead of a graceful | close. +--- this is utterly damning of any proposal involving "use TCP to aid security", whether in fallback, primary use, parallel use. a close reading of 4.2.2 and some experience implementing and operating name servers makes it obvious that TCP only works when nobody benefits from breaking it. the DDoS vector opened by the above text can be implemented in a one line perl script. TCP is usable for AXFR/IXFR, but for QUERY, it's a simple recipe for disaster. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 08:09:30 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 504313A6D11; Fri, 15 May 2009 08:09:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.587 X-Spam-Level: X-Spam-Status: No, score=-0.587 tagged_above=-999 required=5 tests=[AWL=-0.692, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_53=0.6, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9wRicmhoWenl; Fri, 15 May 2009 08:09:29 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 60E513A6C41; Fri, 15 May 2009 08:09:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4z0G-000KzG-Eb for namedroppers-data0@psg.com; Fri, 15 May 2009 15:07:16 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4z03-000KyC-VL for namedroppers@ops.ietf.org; Fri, 15 May 2009 15:07:10 +0000 Received: from [0.0.0.0] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4FF6wvI012316; Fri, 15 May 2009 11:07:00 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: Date: Fri, 15 May 2009 11:03:54 -0400 To: namedroppers@ops.ietf.org From: Edward Lewis Subject: [dnsext] TSIG, TKEY, and IPSEC Cc: ed.lewis@neustar.biz Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: As an operator of DNS, my concern about forgery resilience comes from "how many mechanisms do I have to support?" One of the strengths of DNS is its simplicity and lightweight nature. That is one reason why it has scaled so well, why it and not X.500 is dominant today. Add more and more optional mechanisms takes away from that. Referring to "falling back" from one mechanism to another kind of bothers me. When it comes to client and server message exchange, we already have TSIG and TKEY. TSIG is of course shared secret and that has limited scaling, best withing some sort of administrative domain (recursive server and stubs or amonst authorities for a zone). I haven't dabbled in TKEY (yes, I know I was a contributor but that was a long time ago), so I'll put forward the question - does anyone use it? Is it useful? It there a problem with it? We also have the non-DNS IPSEC option. Perhaps there is an issue with IPSEC'ing across the world, but it's not clear to me. If anyone knows a reason why it's not a candidate it would good to hear. The reason I am bringing this up is these are solutions already documented. That doesn't mean they are good solutions, but maybe they are. If something is available and unused, it is because no one has been using it or is it because the solution isn't that good after all. Just because it is in print and/or code doesn't make it a good idea. I'll stop at this point. Is there any WG assessment of TSIG, TKEY, oh, and SIG(0) or even IPSEC as a forgery resilience mechanism? Why do we need to invent more? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 08:32:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADE3E3A6784; Fri, 15 May 2009 08:32:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.552 X-Spam-Level: X-Spam-Status: No, score=-102.552 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7dManxgL-WVX; Fri, 15 May 2009 08:32:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9246628C39D; Fri, 15 May 2009 08:31:27 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4zK2-000NLe-Kz for namedroppers-data0@psg.com; Fri, 15 May 2009 15:27:42 +0000 Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M4zJh-000NIL-TD for namedroppers@ops.ietf.org; Fri, 15 May 2009 15:27:29 +0000 Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n4FFRFEp041783 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 15 May 2009 17:27:16 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl) Message-ID: <4A0D89D3.2090905@nlnetlabs.nl> Date: Fri, 15 May 2009 17:27:15 +0200 From: "W.C.A. Wijngaards" User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: bert hubert CC: Bart Smit , namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <4A0D5ACC.2070704@nlnetlabs.nl> <3efd34cc0905150612s464a4750v8924a707ea2cf7ff@mail.gmail.com> In-Reply-To: <3efd34cc0905150612s464a4750v8924a707ea2cf7ff@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 15 May 2009 17:27:16 +0200 (CEST) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Bert, bert hubert wrote: > Weird - a wise man read my thoughts on how EDNS PING could work.. > http://article.gmane.org/gmane.ietf.dnsext/13806 > But it appears you've changed your mind? No, I still believe EDNS PING to be very, very much in danger of downgrade. But, I was happy, in the above reference, that we were moving into more secure territory. Of course, securing one part is I think a good step, but opponents always choose the weakest part... > How is it easy? - as outlined in the URL mentioned above, and as > implemented, it is very hard to downgrade a 'known pinger'. Actually no, because if the negative reply does not have the long random number then the downgrade is very easy in fact. And there may be more cases. The only sane way to deal with that is to enumerate all of the trouble spots and deal with them. Sort of what my forgery resilience draft attempts for Kaminsky-attack packets. (if you can protect the probe really well, then maybe we could use the same method for all queries? ... just a silly idea) > This is bordering on the ridiculous - we discussed previously what the > goals of EDNS-PING were, and we had a decent discussion on how to > achieve those goals. And now 'it does not work'. I think the message is a good step forwards. Maybe we can continue that line of investigation. There are many questions left unanswered, and the draft needs much more text. We need to know the full resolver algorithm that is proposed for EDNS PING. Then this needs to be documented (at some level of abstraction). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoNidMACgkQkDLqNwOhpPhRYgCfaMX0j5cnr2o7Fxf711tsQAQA KgYAoLBLC8U8j3n97LEEXHw9dB4qSvSM =sNmi -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 10:51:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3836D3A6EA3; Fri, 15 May 2009 10:51:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.051 X-Spam-Level: X-Spam-Status: No, score=-3.051 tagged_above=-999 required=5 tests=[AWL=-2.556, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHqh2MHuBMVT; Fri, 15 May 2009 10:51:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 137E53A6E6A; Fri, 15 May 2009 10:50:46 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M51UD-000ATD-JV for namedroppers-data0@psg.com; Fri, 15 May 2009 17:46:21 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M51U1-000AS0-3h for namedroppers@ops.ietf.org; Fri, 15 May 2009 17:46:15 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4FHk67d014084 for ; Fri, 15 May 2009 13:46:06 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4FHk6r9014083 for namedroppers@ops.ietf.org; Fri, 15 May 2009 13:46:06 -0400 (EDT) (envelope-from namedroppers) Received: from [65.201.175.9] (helo=cliffie.verisignlabs.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M509S-0002zl-FV for namedroppers@ops.ietf.org; Fri, 15 May 2009 16:20:57 +0000 Received: from monsoon.verisignlabs.com (scooter.bo.labs.vrsn.com [172.25.170.10]) by cliffie.verisignlabs.com (Postfix) with ESMTP id 65CB713668A for ; Fri, 15 May 2009 12:20:49 -0400 (EDT) Received: from dul1mcmlarson-l1.labs.vrsn.com (dul1mcmlarson-l1.labs.vrsn.com [10.131.244.205]) by monsoon.verisignlabs.com (Postfix) with ESMTP id 5F372242163 for ; Fri, 15 May 2009 12:20:49 -0400 (EDT) Date: Fri, 15 May 2009 12:20:49 -0400 From: Matt Larson To: namedroppers@ops.ietf.org Subject: Support to adopt EDNS PING (was Re: [dnsext] Point of order) Message-ID: <20090515162049.GE682@dul1mcmlarson-l1.labs.vrsn.com> References: <200905151459.n4FExr5c012251@stora.ogud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200905151459.n4FExr5c012251@stora.ogud.com> User-Agent: Mutt/1.5.18 (2008-05-17) X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] On Fri, 15 May 2009, Olafur Gudmundsson wrote: > The standard for adopting a document is much lower than the standard for > advancing a document. Then I support adopting EDNS PING, and will commit to review it, with the full understanding that the failure-indistinguishable-from-fallback characteristic could prove unsurmountable. By adopting the document, we can consider it carefully and separate that discussion from the "should we adopt it or not" discussion. In other words, I'm suggesting that adopting the document will put us in a better place to more carefully consider it than we are now. Matt -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 11:37:51 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10D2F3A6E6C; Fri, 15 May 2009 11:37:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.052 X-Spam-Level: X-Spam-Status: No, score=-1.052 tagged_above=-999 required=5 tests=[AWL=-0.857, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nz1++zumOh-9; Fri, 15 May 2009 11:37:50 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C3E603A6D92; Fri, 15 May 2009 11:37:49 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M52F7-000GSj-LC for namedroppers-data0@psg.com; Fri, 15 May 2009 18:34:49 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M52Et-000GQK-Nm for namedroppers@ops.ietf.org; Fri, 15 May 2009 18:34:43 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4FIYX81014840 for ; Fri, 15 May 2009 14:34:33 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905151834.n4FIYX81014840@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 15 May 2009 14:33:55 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: [dnsext] Adopting GOST digital signature algorithm document Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On April 13'th 2009 the chairs asked the WG about adoption of draft-dolmatov-dnsext-gost-dnssec-00.txt http://psg.com/lists/namedroppers/namedroppers.2009/msg00422.html 5 people stated that they supported the adoption of the document: Paul Hoffman, Edward Lewis, Ondrej Sury, Sam Weiler and Wouter Wijngaards There were other people that voiced opposition to the draft. Thus the draft meets the criteria for adoption. The chairs also asked for opinions from the CFRG mailing list: http://www.irtf.org/mail-archive/web/cfrg/current/msg02612.html At this point no conclusion can be drawn from the discussion there. The current DNSKEY registry http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml states that the criteria for adding a new algorithm is IETF standards action. This means DNSEXT is the ONLY conduit for new algorithms. The same goes for the DS digest. During the discussion on the mailing list there was some discussion on what criteria to use for adoption of new algorithms and the status of different algorithms. Currently the registry has two states, 'allowed to sign zone' Y/N. Some people have stated to the Chairs (on and off-list) that they have no objection to registering new algorithms if algorithms can be marked as "optional". Currently the WG has no policy on accepting or refusing adding new algorithms. Sam Weiler pointed out that the draft is proposing adding a new NSEC3 obfuscating function: http://psg.com/lists/namedroppers/namedroppers.2009/msg00503.html Defining such a function has a high threshold as RFC5155 requires that the next obfuscating function needs to offer algorithm agility and specify the transition in a zone between obfuscation functions. Due to the importance for Russia to be able to use a standard DNSSEC algorithm soon the Chairs' conclusion: A document containing: - DNSKEY GOST R 34.10-2001 with GOST R 34.11-94 registration - DS GOST R 34.11-94 registration will be adopted as a WG document. Due to the restricted charter, adding this document will require a charter update. The chairs plan to submit a new charter late next week that includes charter changes required by this document and any forgery resilience documents. Any NSEC3 obfuscation function specification must be separated into a different document. If such a document is submitted, the Chairs will issue a separate call for adoption for that document. Olafur (and Andrew) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 12:28:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 151D13A6B49; Fri, 15 May 2009 12:28:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.566 X-Spam-Level: X-Spam-Status: No, score=-4.566 tagged_above=-999 required=5 tests=[AWL=-0.370, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3NoUQQDWV4D; Fri, 15 May 2009 12:28:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 370283A6A6F; Fri, 15 May 2009 12:28:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5323-000LBq-38 for namedroppers-data0@psg.com; Fri, 15 May 2009 19:25:23 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M531p-000LAR-CP for namedroppers@ops.ietf.org; Fri, 15 May 2009 19:25:16 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4FJNigX018197; Fri, 15 May 2009 19:23:44 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4FJNfO5018196; Fri, 15 May 2009 19:23:41 GMT Date: Fri, 15 May 2009 19:23:41 +0000 From: bmanning@vacation.karoshi.com To: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= /DNSEXT chair Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Adopting GOST digital signature algorithm document Message-ID: <20090515192341.GA15650@vacation.karoshi.com.> References: <200905151834.n4FIYX81014840@stora.ogud.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200905151834.n4FIYX81014840@stora.ogud.com> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: thank you... i look forward to lively debate. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 15:06:32 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 857553A6D29; Fri, 15 May 2009 15:06:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.467 X-Spam-Level: X-Spam-Status: No, score=-0.467 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rh8SxEny0xp; Fri, 15 May 2009 15:06:31 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9B9113A6B36; Fri, 15 May 2009 15:06:31 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M55V5-000ARl-Pe for namedroppers-data0@psg.com; Fri, 15 May 2009 22:03:31 +0000 Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M55Us-000APw-Qf for namedroppers@ops.ietf.org; Fri, 15 May 2009 22:03:25 +0000 Received: by ewy4 with SMTP id 4so2744906ewy.41 for ; Fri, 15 May 2009 15:03:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=O5CdFEN6gv+ObK22VymaD5G/w7fJTgXikdyj2Md7RW0=; b=PTAJrCzTJQFnozUDcbVxC9r7yOrKDCUxkgkE4ERmOnpxNCgr1GpcsZo+ZNIRKAlfsi 5IHIOiIGhMi9ATfhS4972pKkMgMqz7JJD/MSKImAIjALRMgqETb5jAf3YaX9udBIso4t 2Coa9GOR39gYTZZOY1u60h9HjMDurHiaNpP/M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; b=MJyu6jUIpQM7kZfG4B5w3Nd+JXvKr7fAeC2yfyEEa9uJZPIQy/KSsXc+h2YyY2tbkj JWoNm1ba0hU5DJCO0YmFpGnXl+W88q6/MzFsvrAd4sw/mFwKlZ7/27FdcQh5htoBQ0R/ nnnbOeN4ZPuXS3j5tvz+m7IfE5Eemzvd1L/fA= MIME-Version: 1.0 Received: by 10.210.20.17 with SMTP id 17mr1468792ebt.39.1242424997085; Fri, 15 May 2009 15:03:17 -0700 (PDT) From: bert hubert Date: Sat, 16 May 2009 00:02:57 +0200 Message-ID: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> Subject: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order To: "dnsext-chairs@tools.ietf.org" Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Hi everybody, As I hope you all know, I care deeply about the practical & real life security of DNS. It is for this reason that I started the forgery resilience draft, and kept it alive for 2+ years, in the face of stern opposition. Afterwards, it appears consensus was raised that RFC 5452 (as forgery resilience became known) would not be able to provide sufficient protection against 'Kaminsky Spoofing', and the WG opened up discussions on 'further resilience' work, especially for the interim period until we would have full DNSSEC deployment. >From this discussion, several drafts emanated, of which EDNS-PING was picked as one (among several others) to be discussed further. In the course of the 'further resilience' discussions, the question if further resilience would detract from DNSSEC work was often raised. It has now become very clear that the perceived answer to this question is 'yes' - to the point that the IAB has been asked [1] to weigh in to see if it should stop the 'dilution' of WG interest in DNSSEC. Even though EDNS-PING never claimed to be anything but forgery-resilience for clients & servers that supported it, it is now expected to provide perfect security for everybody. Additionally, the draft is supposed to go into great detail on how exactly to deploy this forgery-resilience tactic. Such detailed drafts never become RFCs. Also, EDNS-PING has now been labelled as 'complex' and 'costly', an expense which could be spared by the speedy rollout of DNSSEC, which apparently is neither. [2] I have also been pointedly informed [3] that EDNS-PING, which requires an EDNS option code, can't succeed as an individual draft either since only the DNSEXT WG can authorize the issue of such an EDNS option code from IANA. In addition, even though >1% of all DNS zones currently served respond to an EDNS-PING request, I've been told that my 'home experiments' are no proof that EDNS-PING can work. In the face of such sage wisdom, I've decided to give up, and I withdraw my request for adoption of draft-hubert-ulevitch-edns-ping. DNS security for me is a work of love, and not a business activity. And to be honest, the nature of the DNS community (as experienced on the lists) has removed any joy I had from working on DNS standardisation. I wish everybody good luck with their favorite ways to improve the security of the domain name system. I sincerely hope you succeed. Bert PS: The IPR statement in draft-hubert-ulevitch-edns-ping holds, so anyone wanting to take it over should feel free to do so. [1] http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00578.html [2] http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00577.html [3] http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00676.html -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 16:38:32 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A5C728C1AA; Fri, 15 May 2009 16:38:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.95 X-Spam-Level: X-Spam-Status: No, score=0.95 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkPkioH2JZ-x; Fri, 15 May 2009 16:38:31 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4A98F28C180; Fri, 15 May 2009 16:38:31 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M56up-000Id0-Em for namedroppers-data0@psg.com; Fri, 15 May 2009 23:34:11 +0000 Received: from [195.241.79.177] (helo=smtp-out2.tiscali.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M56ud-000Ic0-9J for namedroppers@ops.ietf.org; Fri, 15 May 2009 23:34:05 +0000 Received: from [82.169.10.186] (helo=m0.ww.pipe.nl) by smtp-out2.tiscali.nl with esmtp id 1M56ub-0002mJ-FW for ; Sat, 16 May 2009 01:33:57 +0200 Message-Id: From: Bart Smit To: namedroppers@ops.ietf.org In-Reply-To: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order Date: Sat, 16 May 2009 01:33:53 +0200 References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 2009-05-16, at 00:02, bert hubert wrote: > In the face of such sage wisdom, I've decided to give up, and I > withdraw my > request for adoption of draft-hubert-ulevitch-edns-ping. I find it quite sad and ironic to see this happen on the very day that I've decided to step in, for about the same reasons as Bert had to step out. The words "too late" cross my mind. Bart -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 17:08:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 456EF28C13F; Fri, 15 May 2009 17:08:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.707 X-Spam-Level: X-Spam-Status: No, score=-4.707 tagged_above=-999 required=5 tests=[AWL=-0.212, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMKp3U9bwl5K; Fri, 15 May 2009 17:08:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CF13328C136; Fri, 15 May 2009 17:08:06 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M57OB-000L77-10 for namedroppers-data0@psg.com; Sat, 16 May 2009 00:04:31 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M57Nu-000L65-Cd for namedroppers@ops.ietf.org; Sat, 16 May 2009 00:04:22 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4G03DgX020187; Sat, 16 May 2009 00:03:13 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4G03DiC020186; Sat, 16 May 2009 00:03:13 GMT Date: Sat, 16 May 2009 00:03:13 +0000 From: bmanning@vacation.karoshi.com To: Bart Smit Cc: namedroppers@ops.ietf.org Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order Message-ID: <20090516000313.GA19843@vacation.karoshi.com.> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 16, 2009 at 01:33:53AM +0200, Bart Smit wrote: > On 2009-05-16, at 00:02, bert hubert wrote: > >In the face of such sage wisdom, I've decided to give up, and I > >withdraw my > >request for adoption of draft-hubert-ulevitch-edns-ping. > > I find it quite sad and ironic to see this happen on the very day that > I've > decided to step in, for about the same reasons as Bert had to step > out. The > words "too late" cross my mind. > > Bart > the bar is set pretty high for any development work to be done, both at the WG level(*) and at the institutional (IETF/IESG) level. how many folks would be interested in spinning up a list to discuss augmetnation/enhancement to the DNS that falls outside the (self-impposed) constraints of the IETF DNSEXT-WG? --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 18:04:27 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DF44F3A6ABD; Fri, 15 May 2009 18:04:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.59 X-Spam-Level: * X-Spam-Status: No, score=1.59 tagged_above=-999 required=5 tests=[AWL=-0.573, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4FER16g0a1B; Fri, 15 May 2009 18:04:26 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A3BD43A67CF; Fri, 15 May 2009 18:04:26 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M58Ey-000Ph1-IK for namedroppers-data0@psg.com; Sat, 16 May 2009 00:59:04 +0000 Received: from [209.86.89.65] (helo=elasmtp-kukur.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M58Ei-000PfP-JE for namedroppers@ops.ietf.org; Sat, 16 May 2009 00:58:58 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=kDWpWrSSThyCkNNTUugUCL3sJjF+5Ts6tWCkGLJnVG3O/S7J8uTuZVish16bESAu; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.103.228] (helo=ix.netcom.com) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M58Ee-00085F-3M; Fri, 15 May 2009 20:58:44 -0400 Message-ID: <4A0E0FB5.335C122F@ix.netcom.com> Date: Fri, 15 May 2009 17:58:29 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Sullivan CC: namedroppers@ops.ietf.org Subject: Re: Encouragement of debate (was: [dnsext] Support for EDSN0 PING) References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <20090515135412.GA2984@shinkuro.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e5196068809cb7dec1533c9ed1f6759fbed5ba181350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.103.228 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Andrew and all, Thank you Andrew, I could not agree more. Whatever the results of such a debate are or perceived to be, my organizations effective and time proven methods will not likely change much if at all. Whatever methods or approaches are largely decided upon if proven to be effective or even if only perceived to be only somewhat effective, any effort to thwart REAL pirating or forgery is at least a step or several steps in the right direction. Certainly the IP lobbyists, poly-wonkers and well meaning politicians need all the REAL technical help and follow-on education they can get! That said, and I hope properly understood, lets get busy! Andrew Sullivan wrote: > Dear colleagues, > > On Fri, May 15, 2009 at 12:16:57PM +0200, Bart Smit wrote: > > Dear workgroup, > > [&c.] > > Given that some of the recent debate on the forgery resilience topic > has become somewhat heated, I want to hold up the first few messages > in the thread started by Bart Smit as an excellent example of how we > might come to some agreement on the topic. In this thread, there are > people in apparently strong disagreement over what exactly the WG > ought to do. But we are getting detailed arguments that specifically > address previous comments on the topic, and refreshingly few side > remarks about the individuals involved. > > Please keep it up! If we can maintain this quality of respectful > debate, I predict that we will be able to come to a conclusion that > everyone can at least accept in a cold intellectual sense, even if > some of us come away unhappy that our preferred mechanisms were not > adopted. I know it is sometimes painful to go over the same ground > again. But remember, the point is not merely to win the debate, but > to expose to technical judgement every issue, flaw, and strength of > each proposal that we can. > > Thanks! > > A > > -- > Andrew Sullivan > ajs@shinkuro.com > Shinkuro, Inc. > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 15 19:42:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E42153A6A36; Fri, 15 May 2009 19:42:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.438 X-Spam-Level: X-Spam-Status: No, score=-0.438 tagged_above=-999 required=5 tests=[AWL=-0.838, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQNhrbbneomk; Fri, 15 May 2009 19:42:37 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 01B9D3A689E; Fri, 15 May 2009 19:42:37 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M59ll-0007yz-31 for namedroppers-data0@psg.com; Sat, 16 May 2009 02:37:01 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M59lY-0007yE-L7 for namedroppers@ops.ietf.org; Sat, 16 May 2009 02:36:54 +0000 Received: from [172.16.33.128] (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) by mail.yitter.info (Postfix) with ESMTPA id D4F742FE9582; Sat, 16 May 2009 02:36:46 +0000 (UTC) From: Andrew Sullivan To: "bmanning@vacation.karoshi.com" In-Reply-To: <20090516000313.GA19843@vacation.karoshi.com.> X-Mailer: iPhone Mail (5H11) Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> Message-Id: Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (iPhone Mail 5H11) Date: Fri, 15 May 2009 22:36:18 -0400 Cc: Bart Smit , "namedroppers@ops.ietf.org" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Dear colleagues, This is a plea from one co-chair, speaking personally. On 15-May-09, at 20:03, bmanning@vacation.karoshi.com wrote: > >> >> >> > how many folks would be interested in spinning up a list to > discuss augmetnation/enhancement to the DNS that falls outside > the (self-impposed) constraints of the IETF DNSEXT-WG? > --bill Before this thread turns into a debate about whether DNS protocol development should happen elsewhere, I'd like to remind everyone that we have an open debate on a number of options, and no decision of any kind has been taken. We chairs set a deadline before which we wanted debate to proceed to see whether a consensus might emerge. That date is next week, and I can't see any strong reason to try to change it now. We also said we'd have a meeting in Stockholm if no consensus emerged. Any option that was on the table remains there (and perhaps some new ones are introduced). That's true even if we are forced unhappily to accept that someone has walked away in frustration. So, please, can we focus on the options before us (that is, the ones Olafur and I listed in out pre-meeting announcement and any that have come up since)? Thanks. A -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 09:49:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 64CB13A710E; Sat, 16 May 2009 09:49:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.103 X-Spam-Level: X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ki35HJzYRs4L; Sat, 16 May 2009 09:49:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 45D1E3A7102; Sat, 16 May 2009 09:49:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5Mvl-000Cei-T4 for namedroppers-data0@psg.com; Sat, 16 May 2009 16:40:13 +0000 Received: from [69.17.117.6] (helo=mail4.sea5.speakeasy.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5MvX-000Cd3-0K for namedroppers@ops.ietf.org; Sat, 16 May 2009 16:40:06 +0000 Received: (qmail 8795 invoked from network); 16 May 2009 16:39:56 -0000 Received: from dsl092-066-189.bos1.dsl.speakeasy.net (HELO spaceman.local) (federico@[66.92.66.189]) (envelope-sender ) by mail4.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 16 May 2009 16:39:55 -0000 Message-ID: <4A0EEC5A.2020708@post.harvard.edu> Date: Sat, 16 May 2009 12:39:54 -0400 From: Federico Lucifredi User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Andrew Sullivan CC: "bmanning@vacation.karoshi.com" , Bart Smit , "namedroppers@ops.ietf.org" Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> In-Reply-To: <4A0E307D.3060208@acm.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: I would like to ask for DNSCURVE to be seriously considered by this group, it seems a valid option along those that have been enumerated previously. Certainly, it seems to require much less overhauling than DNSSEC thus far. No flames please - just asking for it to get a fair shake. I have worked on DNSSEC, so I know more about this latter one than DNSCURVE, but if a simpler or somehow solution is possible, it should be considered regardless. dnscurve.org seems to have less information than I'd wish... are there any further good docs on the matter? Best -Federico > Andrew Sullivan wrote: >> Dear colleagues, >> >> This is a plea from one co-chair, speaking personally. >> >> On 15-May-09, at 20:03, bmanning@vacation.karoshi.com wrote: >>>> >>>> >>> how many folks would be interested in spinning up a list to >>> discuss augmetnation/enhancement to the DNS that falls outside >>> the (self-impposed) constraints of the IETF DNSEXT-WG? >>> --bill >> Before this thread turns into a debate about whether DNS protocol >> development should happen elsewhere, I'd like to remind everyone that we >> have an open debate on a number of options, and no decision of any kind >> has been taken. We chairs set a deadline before which we wanted debate >> to proceed to see whether a consensus might emerge. That date is next >> week, and I can't see any strong reason to try to change it now. We also >> said we'd have a meeting in Stockholm if no consensus emerged. >> >> Any option that was on the table remains there (and perhaps some new >> ones are introduced). That's true even if we are forced unhappily to >> accept that someone has walked away in frustration. >> >> So, please, can we focus on the options before us (that is, the ones >> Olafur and I listed in out pre-meeting announcement and any that have >> come up since)? Thanks. >> >> A >> -- >> to unsubscribe send a message to namedroppers-request@ops.ietf.org with >> the word 'unsubscribe' in a single line as the message text body. >> archive: > > -- _________________________________________ -- "'Problem' is a bleak word for challenge" - Richard Fish (Federico L. Lucifredi) - lucifred@post.harvard.edu - GnuPG 0x4A73884C -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 10:50:11 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E93963A7055; Sat, 16 May 2009 10:50:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.4 X-Spam-Level: X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[AWL=0.199, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g297wIIL97YP; Sat, 16 May 2009 10:50:10 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 00BED3A6B0E; Sat, 16 May 2009 10:50:10 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5Nxg-000J9G-Pp for namedroppers-data0@psg.com; Sat, 16 May 2009 17:46:16 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5NxP-000J7E-Ld for namedroppers@ops.ietf.org; Sat, 16 May 2009 17:46:09 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4GHjv2t044492 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 16 May 2009 10:45:58 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <4A0EEC5A.2020708@post.harvard.edu> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sat, 16 May 2009 10:45:56 -0700 To: Federico Lucifredi From: Paul Hoffman Subject: [dnsext] DNSCURVE Cc: "namedroppers@ops.ietf.org" Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:39 PM -0400 5/16/09, Federico Lucifredi wrote: >I would like to ask for DNSCURVE to be seriously considered by this >group, it seems a valid option along those that have been enumerated >previously. > >Certainly, it seems to require much less overhauling than DNSSEC thus far. > >No flames please - just asking for it to get a fair shake. I have worked >on DNSSEC, so I know more about this latter one than DNSCURVE, but if a >simpler or somehow solution is possible, it should be considered regardless. > >dnscurve.org seems to have less information than I'd wish... are there >any further good docs on the matter? I'm confused. You want the WG to consider DNSCURVE, but you then say that there is "less information than I'd wish". How can we consider it if we don't know what it is? --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 11:57:13 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A2F203A6FBB; Sat, 16 May 2009 11:57:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AP981jgWyvUA; Sat, 16 May 2009 11:57:12 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 303D73A6FB1; Sat, 16 May 2009 11:57:12 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5P0M-000PMc-Ny for namedroppers-data0@psg.com; Sat, 16 May 2009 18:53:06 +0000 Received: from [209.85.217.170] (helo=mail-gx0-f170.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5P09-000PL8-1A for namedroppers@ops.ietf.org; Sat, 16 May 2009 18:53:00 +0000 Received: by gxk18 with SMTP id 18so4838490gxk.11 for ; Sat, 16 May 2009 11:52:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.98.13 with SMTP id v13mr4101681agb.18.1242499970597; Sat, 16 May 2009 11:52:50 -0700 (PDT) In-Reply-To: <4A0EEC5A.2020708@post.harvard.edu> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sat, 16 May 2009 11:52:50 -0700 Message-ID: Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order From: Matthew Dempsky To: Federico Lucifredi Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 16, 2009 at 9:39 AM, Federico Lucifredi wrote: > dnscurve.org seems to have less information than I'd wish... are there > any further good docs on the matter? What more information or documentation are you looking for? The only thing that comes to mind as inadequately explained on dnscurve.org is the definition of a "cryptographic box", which is a term used by NaCl[1]. The existing documentation is admittedly terse, but it was otherwise sufficient for us to have built a mostly working DNSCurve forwarder[2] as well as a patch for djbdns to add support for DNSCurve[3]. These implementations still need some polish and documentation, but they're largely functional and just waiting on us to have some extra free time to work on it more. If you're interested in contributing, contact me off list. [1] http://nacl.cace-project.eu/ [2] http://github.com/mrd/dnscurve/tree/master [3] http://shinobi.dempsky.org/~matthew/misc/djbdns-dnscurve.patch -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 12:06:14 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A2433A7126; Sat, 16 May 2009 12:06:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCu1pxK3KN4x; Sat, 16 May 2009 12:06:13 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C64063A6B3E; Sat, 16 May 2009 12:05:45 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5PB4-0000Ux-Ul for namedroppers-data0@psg.com; Sat, 16 May 2009 19:04:10 +0000 Received: from [209.85.217.170] (helo=mail-gx0-f170.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5PAs-0000Tf-Cf for namedroppers@ops.ietf.org; Sat, 16 May 2009 19:04:04 +0000 Received: by gxk18 with SMTP id 18so4845213gxk.11 for ; Sat, 16 May 2009 12:03:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.120.14 with SMTP id s14mr1439314agc.115.1242500636695; Sat, 16 May 2009 12:03:56 -0700 (PDT) In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sat, 16 May 2009 12:03:56 -0700 Message-ID: Subject: Re: [dnsext] DNSCURVE From: Matthew Dempsky To: Paul Hoffman Cc: Federico Lucifredi , "namedroppers@ops.ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 16, 2009 at 10:45 AM, Paul Hoffman wrote: > I'm confused. You want the WG to consider DNSCURVE, but you then say that there is "less information than I'd wish". How can we consider it if we don't know what it is? If you have questions about DNSCurve that are not adequately answered by the dnscurve.org web site, then I'll be happy to try to answer them here. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 12:08:24 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5601F3A6B88; Sat, 16 May 2009 12:08:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.401 X-Spam-Level: X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[AWL=0.198, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZL8mScG3eJ7; Sat, 16 May 2009 12:08:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 686EC3A6B3E; Sat, 16 May 2009 12:08:23 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5PDh-0000jn-NC for namedroppers-data0@psg.com; Sat, 16 May 2009 19:06:53 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5PDT-0000iI-M2 for namedroppers@ops.ietf.org; Sat, 16 May 2009 19:06:46 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4GJ6aRx049199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 16 May 2009 12:06:36 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sat, 16 May 2009 12:06:35 -0700 To: Matthew Dempsky From: Paul Hoffman Subject: Re: [dnsext] DNSCURVE Cc: Federico Lucifredi , "namedroppers@ops.ietf.org" Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:03 PM -0700 5/16/09, Matthew Dempsky wrote: >On Sat, May 16, 2009 at 10:45 AM, Paul Hoffman wrote: >> I'm confused. You want the WG to consider DNSCURVE, but you then say that there is "less information than I'd wish". How can we consider it if we don't know what it is? > >If you have questions about DNSCurve that are not adequately answered >by the dnscurve.org web site, then I'll be happy to try to answer them >here. Thanks! Where is the stable version of the protocol that we can use to determine if we should adopt it in this WG? --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 12:17:25 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55F763A6E6C; Sat, 16 May 2009 12:17:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.103 X-Spam-Level: X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OujjudWU--p; Sat, 16 May 2009 12:17:24 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 84E513A6869; Sat, 16 May 2009 12:17:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5PMK-0001W2-E3 for namedroppers-data0@psg.com; Sat, 16 May 2009 19:15:48 +0000 Received: from [69.17.117.6] (helo=mail4.sea5.speakeasy.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5PM7-0001VA-Tf for namedroppers@ops.ietf.org; Sat, 16 May 2009 19:15:42 +0000 Received: (qmail 4538 invoked from network); 16 May 2009 19:15:35 -0000 Received: from dsl092-066-189.bos1.dsl.speakeasy.net (HELO spaceman.local) (federico@[66.92.66.189]) (envelope-sender ) by mail4.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 16 May 2009 19:15:35 -0000 Message-ID: <4A0F10D5.9040805@post.harvard.edu> Date: Sat, 16 May 2009 15:15:33 -0400 From: Federico Lucifredi User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Paul Hoffman CC: "namedroppers@ops.ietf.org" Subject: Re: [dnsext] DNSCURVE References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: >> dnscurve.org seems to have less information than I'd wish... are there >> any further good docs on the matter? > > I'm confused. You want the WG to consider DNSCURVE, but you then say that there is "less information than I'd wish". How can we consider it if we don't know what it is? > I am presuming there is more published. I will look and report back, if no one knows better here :) Best-F -- _________________________________________ -- "'Problem' is a bleak word for challenge" - Richard Fish (Federico L. Lucifredi) - lucifred@post.harvard.edu - GnuPG 0x4A73884C -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 12:34:53 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 277B628C1FA; Sat, 16 May 2009 12:34:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4FFujoUF9Ha; Sat, 16 May 2009 12:34:52 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5DF3028C1F2; Sat, 16 May 2009 12:34:52 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5Pcf-00030b-Na for namedroppers-data0@psg.com; Sat, 16 May 2009 19:32:41 +0000 Received: from [209.85.217.207] (helo=mail-gx0-f207.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5PcN-0002yk-29 for namedroppers@ops.ietf.org; Sat, 16 May 2009 19:32:35 +0000 Received: by gxk3 with SMTP id 3so5135823gxk.17 for ; Sat, 16 May 2009 12:32:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.105.17 with SMTP id d17mr4108415agc.68.1242502340674; Sat, 16 May 2009 12:32:20 -0700 (PDT) In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sat, 16 May 2009 12:32:20 -0700 Message-ID: Subject: Re: [dnsext] DNSCURVE From: Matthew Dempsky To: Paul Hoffman Cc: Federico Lucifredi , "namedroppers@ops.ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 16, 2009 at 12:06 PM, Paul Hoffman wrote: > Thanks! Where is the stable version of the protocol that we can use to determine if we should adopt it in this WG? No DNSCurve developer is concerned yet with this WG adopting it, so if you're genuinely interested in discussing DNSCurve, you'll have to rely on the dnscurve.org web site for details for now. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From throwbacksr0312@ganapini.com Sat May 16 15:12:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D35803A68A1; Sat, 16 May 2009 15:12:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -29.456 X-Spam-Level: X-Spam-Status: No, score=-29.456 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_DYNAMIC=1.144, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQkzNOnbeps2; Sat, 16 May 2009 15:12:41 -0700 (PDT) Received: from 186-8-36-36-dynamic.movinet.com.uy (186-8-36-36-dynamic.movinet.com.uy [186.8.36.36]) by core3.amsl.com (Postfix) with ESMTP id 3B47A3A68D0; Sat, 16 May 2009 15:12:35 -0700 (PDT) Date: Sun, 17 May 2009 00:13:45 +0100 From: dnsext-archive@ietf.org Subject: Updated 2009 brand models now available To: Message-ID: <000d01c9d673$946fd570$6400a8c0@throwbacksr0312> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Always wanted to get that perfect gift? Always had that eye on that expensive, stunning watch? Now at Diamond Replicas, you can fulfill all your dreams of having diamonds and expensive watches, and bags, all for a tiny fraction of the cost. With more than 50 world renown brands, you are one click away from dressing like a million dollars! Thanks! http://repressiveconnect.cn Best Regards Cedrick Hoffman US From dextrosew5@galaor.com Sat May 16 15:17:52 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE3983A68A1; Sat, 16 May 2009 15:17:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -28.95 X-Spam-Level: X-Spam-Status: No, score=-28.95 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, HELO_DYNAMIC_HCC=4.295, HELO_EQ_DSL=1.129, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sjg7u6vdb4RC; Sat, 16 May 2009 15:17:52 -0700 (PDT) Received: from bl9-95-72.dsl.telepac.pt (bl9-95-72.dsl.telepac.pt [85.242.95.72]) by core3.amsl.com (Postfix) with ESMTP id 9C4CD3A68D0; Sat, 16 May 2009 15:17:51 -0700 (PDT) Date: Sat, 16 May 2009 23:17:42 +0000 From: ee10121c2@ietf.org Subject: All items available with lifetime warranty To: Message-ID: <000d01c9d674$215fd9d0$6400a8c0@dextrosew5> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Always wanted to get that perfect gift? Always had that eye on that expensive, stunning watch? Now at Diamond Replicas, you can fulfill all your dreams of having diamonds and expensive watches, and bags, all for a tiny fraction of the cost. With more than 50 world renown brands, you are one click away from dressing like a million dollars! Visit us http://repressiveconnect.cn Best Regards Vanessa Rhodes PT From kineticsznx23@highviewstable.com Sat May 16 15:40:38 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D10333A6CD6; Sat, 16 May 2009 15:40:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -57.253 X-Spam-Level: X-Spam-Status: No, score=-57.253 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, IP_NOT_FRIENDLY=0.334, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFkSAHElMsti; Sat, 16 May 2009 15:40:32 -0700 (PDT) Received: from c-69-244-131-93.hsd1.mi.comcast.net (c-69-244-131-93.hsd1.mi.comcast.net [69.244.131.93]) by core3.amsl.com (Postfix) with ESMTP id 424053A6A59; Sat, 16 May 2009 15:40:14 -0700 (PDT) Date: Sat, 16 May 2009 18:41:01 -0500 From: disman-bounces@ietf.org Subject: Zero Nicotine gives you a powerful helping hand. To: Message-ID: <000d01c9d677$63b6dab0$6400a8c0@kineticsznx23> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal - Have your own decent hair effectively grown. - We will ship faster than anybody else to the point you indicate. http://rxclumps.cn/ http://www.rxclumps.cn/ Community Chiropractic & Acupuncture Dr. Karen A. Thomas, D.C. 71 8th Avenue Brooklyn, NY 11217 USA From crustierx021@hiddentailor.com Sat May 16 15:50:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A19F33A6EA8; Sat, 16 May 2009 15:50:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -29.705 X-Spam-Level: X-Spam-Status: No, score=-29.705 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HOST_EQ_D_D_D_D=0.765, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DYNAMIC=1.144, IP_NOT_FRIENDLY=0.334, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUK+PDJWeOLU; Sat, 16 May 2009 15:50:15 -0700 (PDT) Received: from h17.45.40.69.dynamic.ip.windstream.net (h17.45.40.69.dynamic.ip.windstream.net [69.40.45.17]) by core3.amsl.com (Postfix) with ESMTP id 08D663A6E7D; Sat, 16 May 2009 15:50:11 -0700 (PDT) Date: Sat, 16 May 2009 15:51:29 -0800 From: avt-archive@lists.ietf.org Subject: Feel the pleasure of pure life via Quick-detox. To: Message-ID: <000d01c9d678$d9cfbea0$6400a8c0@crustierx021> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal - Completely recharge your magnesium oxide deposits. - Our support team will surprise you with the quickness and competence. http://rxclumps.cn/ http://www.rxclumps.cn/ Community Chiropractic & Acupuncture Dr. Karen A. Thomas, D.C. 71 8th Avenue Brooklyn, NY 11217 USA From owner-namedroppers@ops.ietf.org Sat May 16 18:19:40 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B4E83A68A3; Sat, 16 May 2009 18:19:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.403 X-Spam-Level: X-Spam-Status: No, score=-2.403 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w+Z7p6llfHU8; Sat, 16 May 2009 18:19:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2C0A43A6A3C; Sat, 16 May 2009 18:19:39 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5Uux-000518-KF for namedroppers-data0@psg.com; Sun, 17 May 2009 01:11:55 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5Uuj-00050D-Jo for namedroppers@ops.ietf.org; Sun, 17 May 2009 01:11:49 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4H1Bbq3065204 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 16 May 2009 18:11:38 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sat, 16 May 2009 18:11:36 -0700 To: Matthew Dempsky From: Paul Hoffman Subject: Re: [dnsext] DNSCURVE Cc: Federico Lucifredi , "namedroppers@ops.ietf.org" Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:32 PM -0700 5/16/09, Matthew Dempsky wrote: >On Sat, May 16, 2009 at 12:06 PM, Paul Hoffman wrote: >> Thanks! Where is the stable version of the protocol that we can use to determine if we should adopt it in this WG? > >No DNSCurve developer is concerned yet with this WG adopting it, so if >you're genuinely interested in discussing DNSCurve, you'll have to >rely on the dnscurve.org web site for details for now. I can't speak for others, but then I think the correct answer from the WG is "thanks but no thanks". Not having a stable reference is a pretty heavy impediment, particularly when the DNS-specific parts change. If a "DNSCurve developer" wants to spend the hour or two it takes to convert the disparate stuff from the web site into an Internet Draft, that would be lovely. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 18:39:27 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 146F03A68A3; Sat, 16 May 2009 18:39:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.603 X-Spam-Level: * X-Spam-Status: No, score=1.603 tagged_above=-999 required=5 tests=[AWL=-0.560, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6bZyD59io9FZ; Sat, 16 May 2009 18:39:26 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 09E773A67BD; Sat, 16 May 2009 18:39:26 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5VHP-0006ta-BH for namedroppers-data0@psg.com; Sun, 17 May 2009 01:35:07 +0000 Received: from [209.86.89.65] (helo=elasmtp-kukur.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5VHC-0006rb-Gj for namedroppers@ops.ietf.org; Sun, 17 May 2009 01:35:00 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=oPXNTkkpscZm7NFWzs9+KtQM15CoiFNZFbC2CQgrSVrv5OF5VceW2s93Gbp07w9D; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.96.186] (helo=ix.netcom.com) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M5VH9-0005aG-PU; Sat, 16 May 2009 21:34:52 -0400 Message-ID: <4A0F69B3.3D5181C8@ix.netcom.com> Date: Sat, 16 May 2009 18:34:43 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Hoffman CC: Federico Lucifredi , "namedroppers@ops.ietf.org" Subject: Re: [dnsext] DNSCURVE References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688cad24145bd9416294a7a5afa5e12e9af350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.96.186 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul and all, You can do so by learning on your own verition. A rather simple concept really. Paul Hoffman wrote: > At 12:39 PM -0400 5/16/09, Federico Lucifredi wrote: > >I would like to ask for DNSCURVE to be seriously considered by this > >group, it seems a valid option along those that have been enumerated > >previously. > > > >Certainly, it seems to require much less overhauling than DNSSEC thus far. > > > >No flames please - just asking for it to get a fair shake. I have worked > >on DNSSEC, so I know more about this latter one than DNSCURVE, but if a > >simpler or somehow solution is possible, it should be considered regardless. > > > >dnscurve.org seems to have less information than I'd wish... are there > >any further good docs on the matter? > > I'm confused. You want the WG to consider DNSCURVE, but you then say that there is "less information than I'd wish". How can we consider it if we don't know what it is? > > --Paul Hoffman, Director > --VPN Consortium > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 16 19:10:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 378353A693E; Sat, 16 May 2009 19:10:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.615 X-Spam-Level: * X-Spam-Status: No, score=1.615 tagged_above=-999 required=5 tests=[AWL=-0.548, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mv95CHOhUZMN; Sat, 16 May 2009 19:10:05 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1F6083A68AE; Sat, 16 May 2009 19:10:05 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5Vmx-0009PA-S9 for namedroppers-data0@psg.com; Sun, 17 May 2009 02:07:43 +0000 Received: from [209.86.89.69] (helo=elasmtp-mealy.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5Vme-0009NQ-IS for namedroppers@ops.ietf.org; Sun, 17 May 2009 02:07:30 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=SHRDbTkWSKhI4dJbZ9D3K8PbtC+/OMS039qL/MqxlwpDHnSFgp06UmtPbC6SSn0F; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.96.186] (helo=ix.netcom.com) by elasmtp-mealy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M5VmY-00033r-Ky; Sat, 16 May 2009 22:07:19 -0400 Message-ID: <4A0F714D.D79D9BC9@ix.netcom.com> Date: Sat, 16 May 2009 19:07:09 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Hoffman CC: Matthew Dempsky , Federico Lucifredi , "namedroppers@ops.ietf.org" Subject: Re: [dnsext] DNSCURVE References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606886a738912cb97101450ef964365d75098350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.96.186 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul and all, Well in this instance, thankfully your not speaking for others including myself. So we can begin minus Paul. Thank you Matt for the info. Perhaps Paul will avail himself as well as others of the information and begin the learning curve. Perhaps Paul will change his thinking and begin his journey of learning of DNSCURVE when he feels he is up to the challenge... Paul Hoffman wrote: > At 12:32 PM -0700 5/16/09, Matthew Dempsky wrote: > >On Sat, May 16, 2009 at 12:06 PM, Paul Hoffman wrote: > >> Thanks! Where is the stable version of the protocol that we can use to determine if we should adopt it in this WG? > > > >No DNSCurve developer is concerned yet with this WG adopting it, so if > >you're genuinely interested in discussing DNSCurve, you'll have to > >rely on the dnscurve.org web site for details for now. > > I can't speak for others, but then I think the correct answer from the WG is "thanks but no thanks". Not having a stable reference is a pretty heavy impediment, particularly when the DNS-specific parts change. If a "DNSCurve developer" wants to spend the hour or two it takes to convert the disparate stuff from the web site into an Internet Draft, that would be lovely. > > --Paul Hoffman, Director > --VPN Consortium > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 17 00:43:00 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69E203A6A85; Sun, 17 May 2009 00:43:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.277 X-Spam-Level: X-Spam-Status: No, score=0.277 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AkhHq6wCjz6P; Sun, 17 May 2009 00:42:59 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 499F73A6B07; Sun, 17 May 2009 00:42:59 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5avI-0007Hr-4Z for namedroppers-data0@psg.com; Sun, 17 May 2009 07:36:40 +0000 Received: from [74.125.44.30] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5aut-0007EH-Td for namedroppers@ops.ietf.org; Sun, 17 May 2009 07:36:26 +0000 Received: by yx-out-2324.google.com with SMTP id 8so1566307yxm.71 for ; Sun, 17 May 2009 00:36:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.25.11 with SMTP id 11mr4642438agy.21.1242545774382; Sun, 17 May 2009 00:36:14 -0700 (PDT) In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sun, 17 May 2009 00:36:14 -0700 Message-ID: Subject: Re: [dnsext] DNSCURVE From: Matthew Dempsky To: Paul Hoffman Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 16, 2009 at 6:11 PM, Paul Hoffman wrote: > I can't speak for others, but then I think the correct answer from the WG is "thanks but no thanks". Not having a stable reference is a pretty heavy impediment, particularly when the DNS-specific parts change. I didn't suggest this WG adopt it. I only offered that if anyone here had questions, I would be willing to answer them from my experience in building one and a half DNSCurve implementations. > If a "DNSCurve developer" wants to spend the hour or two it takes to convert the disparate stuff from the web site into an Internet Draft, that would be lovely. And if you wanted to spend the hour or two to actually read the web site, that would be lovely too. The entire site is less than 5000 words, so it shouldn't take you long. Otherwise, please stop feigning interest in it. You've complained about the lack of a "stable" specification for some time now, even though the pages haven't changed in six months. What's so magical about being in RFC format? If you really want a guarantee that the files you're looking at won't change, you can use http://shinobi.dempsky.org/~matthew/dnscurve.org-20090517/ I just mirrored the files from dnscurve.org here, and I promise not to update them. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From francspcw997@hidebuu.com Sun May 17 07:42:32 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F2C33A6C53; Sun, 17 May 2009 07:42:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.92 X-Spam-Level: X-Spam-Status: No, score=-17.92 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, J_CHICKENPOX_33=0.6, J_CHICKENPOX_34=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UBz8gO8xxl1o; Sun, 17 May 2009 07:42:32 -0700 (PDT) Received: from pool-141-157-95-71.balt.east.verizon.net (pool-141-157-95-71.balt.east.verizon.net [141.157.95.71]) by core3.amsl.com (Postfix) with ESMTP id D34363A6C0F; Sun, 17 May 2009 07:42:31 -0700 (PDT) Date: Sun, 17 May 2009 10:43:16 -0500 From: disman-bounces@ietf.org Subject: Amazing wealth and status can be yours To: Message-ID: <000d01c9d6fd$cfeb63f0$6400a8c0@francspcw997> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal At http://mewaqimid.cn/ we specialize in top quality rep1ica watches. Swiss engineering, precision crafted timepieces are perfect gifts. These products are not cheap imitations, they are genuine rep1icas of the real products. wearing these expensive looking rep1ica watches is prestigious, they make a statement at work and at play. Visit us: www.mewaqimid.cn From owner-namedroppers@ops.ietf.org Sun May 17 08:14:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0FF493A6D38; Sun, 17 May 2009 08:14:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.405 X-Spam-Level: X-Spam-Status: No, score=-2.405 tagged_above=-999 required=5 tests=[AWL=0.194, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sY3LSaJ+JgL8; Sun, 17 May 2009 08:14:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D819D3A6CB3; Sun, 17 May 2009 08:14:13 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5hyY-000IXW-F7 for namedroppers-data0@psg.com; Sun, 17 May 2009 15:08:30 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5hyK-000IWf-C1 for namedroppers@ops.ietf.org; Sun, 17 May 2009 15:08:23 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4HF8Cc1000548 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 17 May 2009 08:08:13 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Sun, 17 May 2009 08:08:11 -0700 To: Matthew Dempsky From: Paul Hoffman Subject: Re: [dnsext] DNSCURVE Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:36 AM -0700 5/17/09, Matthew Dempsky wrote: >On Sat, May 16, 2009 at 6:11 PM, Paul Hoffman wrote: >> I can't speak for others, but then I think the correct answer from the WG is "thanks but no thanks". Not having a stable reference is a pretty heavy impediment, particularly when the DNS-specific parts change. > >I didn't suggest this WG adopt it. Understood. >I only offered that if anyone here >had questions, I would be willing to answer them from my experience in >building one and a half DNSCurve implementations. This is part of a thread about the WG adopting the protocol. > >> If a "DNSCurve developer" wants to spend the hour or two it takes to convert the disparate stuff from the web site into an Internet Draft, that would be lovely. > >And if you wanted to spend the hour or two to actually read the web >site, that would be lovely too. The entire site is less than 5000 >words, so it shouldn't take you long. I have read it, fully, a few times; that's how I know that it is a moving target. >Otherwise, please stop feigning interest in it. Interest != support. It *is* interesting, and it solves a number of the problems that DNSSEC has, and it also creates some of its own. The WG can decide how it wants to make that balance. >You've complained >about the lack of a "stable" specification for some time now, even >though the pages haven't changed in six months. And it changed, significantly, a few times before that. >What's so magical >about being in RFC format? A universally-available, easily-referenced document that is not subject to in-place change by its authors. >If you really want a guarantee that the >files you're looking at won't change, you can use > > http://shinobi.dempsky.org/~matthew/dnscurve.org-20090517/ > >I just mirrored the files from dnscurve.org here, and I promise not to >update them. That works for me, if it is sufficient for others in the WG. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From keckc53@hirano-yayoi.com Sun May 17 09:12:35 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A3803A6CFD; Sun, 17 May 2009 09:12:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.066 X-Spam-Level: X-Spam-Status: No, score=-7.066 tagged_above=-999 required=5 tests=[BAYES_99=3.5, CHARSET_FARAWAY_HEADER=3.2, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_CPE=0.5, HOST_EQ_CPE=0.979, J_CHICKENPOX_33=0.6, MIME_8BIT_HEADER=0.3, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_NOV5A=1.062, SARE_SUB_ENC_KOI8R=0.67, STOX_REPLY_TYPE=0.001, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nTPTmepLPoE; Sun, 17 May 2009 09:12:34 -0700 (PDT) Received: from cpe-24-161-79-245.hvc.res.rr.com (cpe-24-161-79-245.hvc.res.rr.com [24.161.79.245]) by core3.amsl.com (Postfix) with ESMTP id 57D6F3A6D67; Sun, 17 May 2009 09:12:34 -0700 (PDT) Date: Sun, 17 May 2009 12:14:07 -0500 From: dnsext-archive@ietf.org Subject: =?koi8-r?B?THV4dXJ5IGhhbmRiYWdzoCB0aGF0IGFyZSBhZmZvcmRhYmxl?= To: Message-ID: <000d01c9d70a$81871c10$6400a8c0@keckc53> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal The time is NOW to get YOUR rep1ica watches that are famous around the world. These affordable imitations make you look rich at a fraction of the cost. Choose from any of the following replica watches Eberhard & Co, Breitling, Bvlgari, Cartier, Chopard, IWC, Panerai, Patek Philippe, TAG Heuer and Vacheron. Visit us: http://buyiricil.cn/ Best Regards Ingrid Rouse www.buyiricil.cn From emu-bounces@ietf.org Sun May 17 09:12:36 2009 Return-Path: X-Original-To: dnsext-archive@ietf.org Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E2F0F3A6EA2 for ; Sun, 17 May 2009 09:12:36 -0700 (PDT) Subject: The results of your email commands From: emu-bounces@ietf.org To: dnsext-archive@ietf.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0359983785==" Message-ID: Date: Sun, 17 May 2009 09:12:35 -0700 Precedence: bulk X-BeenThere: emu@ietf.org X-Mailman-Version: 2.1.9 List-Id: "EAP Methods Update \(EMU\)" X-List-Administrivia: yes Sender: emu-bounces@ietf.org Errors-To: emu-bounces@ietf.org --===============0359983785== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit The results of your email command are provided below. Attached is your original message. - Unprocessed: http://buyiricil.cn/ Best Regards Ingrid Rouse www.buyiricil.cn - Done. --===============0359983785== Content-Type: message/rfc822 MIME-Version: 1.0 Return-Path: X-Original-To: emu-request@core3.amsl.com Delivered-To: emu-request@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2A3803A6CFD; Sun, 17 May 2009 09:12:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.066 X-Spam-Level: X-Spam-Status: No, score=-7.066 tagged_above=-999 required=5 tests=[BAYES_99=3.5, CHARSET_FARAWAY_HEADER=3.2, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_CPE=0.5, HOST_EQ_CPE=0.979, J_CHICKENPOX_33=0.6, MIME_8BIT_HEADER=0.3, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_NOV5A=1.062, SARE_SUB_ENC_KOI8R=0.67, STOX_REPLY_TYPE=0.001, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nTPTmepLPoE; Sun, 17 May 2009 09:12:34 -0700 (PDT) Received: from cpe-24-161-79-245.hvc.res.rr.com (cpe-24-161-79-245.hvc.res.rr.com [24.161.79.245]) by core3.amsl.com (Postfix) with ESMTP id 57D6F3A6D67; Sun, 17 May 2009 09:12:34 -0700 (PDT) Date: Sun, 17 May 2009 12:14:07 -0500 From: dnsext-archive@ietf.org Subject: =?koi8-r?B?THV4dXJ5IGhhbmRiYWdzoCB0aGF0IGFyZSBhZmZvcmRhYmxl?= To: Message-ID: <000d01c9d70a$81871c10$6400a8c0@keckc53> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal The time is NOW to get YOUR rep1ica watches that are famous around the world. These affordable imitations make you look rich at a fraction of the cost. Choose from any of the following replica watches Eberhard & Co, Breitling, Bvlgari, Cartier, Chopard, IWC, Panerai, Patek Philippe, TAG Heuer and Vacheron. Visit us: http://buyiricil.cn/ Best Regards Ingrid Rouse www.buyiricil.cn --===============0359983785==-- From capme19@hesselmanrealtors.com Sun May 17 09:12:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D99B53A6EA2; Sun, 17 May 2009 09:12:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -11.236 X-Spam-Level: X-Spam-Status: No, score=-11.236 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_CPE=0.5, HOST_EQ_CPE=0.979, J_CHICKENPOX_33=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_SPEC_REPLICA_OBFU=1.812, SARE_SPEC_ROLEX_NOV5A=1.062, STOX_REPLY_TYPE=0.001, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2riTHQfI3WeA; Sun, 17 May 2009 09:12:39 -0700 (PDT) Received: from cpe-24-161-79-245.hvc.res.rr.com (cpe-24-161-79-245.hvc.res.rr.com [24.161.79.245]) by core3.amsl.com (Postfix) with ESMTP id 05A193A6D7E; Sun, 17 May 2009 09:12:39 -0700 (PDT) Date: Sun, 17 May 2009 12:14:08 -0500 From: dnsext-archive@lists.ietf.org Subject: Lowest prices ever for designer handbags To: Message-ID: <000d01c9d70a$81bb7280$6400a8c0@capme19> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal The time is NOW to get YOUR rep1ica watches that are famous around the world. These affordable imitations make you look rich at a fraction of the cost. Choose from any of the following replica watches Eberhard & Co, Breitling, Bvlgari, Cartier, Chopard, IWC, Panerai, Patek Philippe, TAG Heuer and Vacheron. Visit us: http://buyiricil.cn/ Best Regards Gerardo Gonzales www.buyiricil.cn From owner-namedroppers@ops.ietf.org Sun May 17 10:13:25 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF6E13A6ABE; Sun, 17 May 2009 10:13:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.343 X-Spam-Level: X-Spam-Status: No, score=-2.343 tagged_above=-999 required=5 tests=[AWL=0.256, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yd5whJtwrYuQ; Sun, 17 May 2009 10:13:25 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E750D3A6819; Sun, 17 May 2009 10:13:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5jrO-000307-Cs for namedroppers-data0@psg.com; Sun, 17 May 2009 17:09:14 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5jrB-0002z1-JF for namedroppers@ops.ietf.org; Sun, 17 May 2009 17:09:07 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 33F9DA24E8 for ; Sun, 17 May 2009 17:08:56 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNSCURVE In-Reply-To: Your message of "Sun, 17 May 2009 00:36:14 MST." References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Sun, 17 May 2009 17:08:56 +0000 Message-ID: <45463.1242580136@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: wrt dnscurve, there's no obvious (to me) technical reason not to pursue it. however, that was also true of TUBA after the IPng decision was made, and i think there can be obvious nontechnical reasons not to pursue something that would compete for global market/mind/deployment share against DNSSEC. nontechnical decisions of that kind are above the pay grade of this WG, yet must still be made from time to time. can an IETF process expert educate us (or is it just me?) as to how we get a nontechnical ruling on this? -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From expatriatejtc@futonshoji.com Sun May 17 10:59:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB7753A6EE9; Sun, 17 May 2009 10:59:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -25.581 X-Spam-Level: X-Spam-Status: No, score=-25.581 tagged_above=-999 required=5 tests=[BAYES_99=3.5, CHARSET_FARAWAY_HEADER=3.2, DOS_OE_TO_MX=2.75, HELO_DYNAMIC_DHCP=1.398, MIME_8BIT_HEADER=0.3, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RDNS_DYNAMIC=0.1, SARE_SUB_ENC_KOI8R=0.67, STOX_REPLY_TYPE=0.001, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8fxXs4SPPb-F; Sun, 17 May 2009 10:59:23 -0700 (PDT) Received: from cm40.delta124.maxonline.com.sg (cm40.delta124.maxonline.com.sg [59.189.124.40]) by core3.amsl.com (Postfix) with ESMTP id 9B0263A6D38; Sun, 17 May 2009 10:59:22 -0700 (PDT) Date: Mon, 18 May 2009 02:00:54 +0800 From: dnsext-archive@lists.ietf.org Subject: =?koi8-r?B?THV4dXJ5IGhhbmRiYWdzoCBmb3Igc2FsZQ==?= To: Message-ID: <000d01c9d719$6c31d850$6400a8c0@expatriatejtc> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Limited edition Daytonas for sale now Click Here http://deflatewatches.cn Best Regards Johnathan Herrera AR From expatriatejtc@futonshoji.com Sun May 17 10:59:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB7753A6EE9; Sun, 17 May 2009 10:59:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -25.581 X-Spam-Level: X-Spam-Status: No, score=-25.581 tagged_above=-999 required=5 tests=[BAYES_99=3.5, CHARSET_FARAWAY_HEADER=3.2, DOS_OE_TO_MX=2.75, HELO_DYNAMIC_DHCP=1.398, MIME_8BIT_HEADER=0.3, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RDNS_DYNAMIC=0.1, SARE_SUB_ENC_KOI8R=0.67, STOX_REPLY_TYPE=0.001, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8fxXs4SPPb-F; Sun, 17 May 2009 10:59:23 -0700 (PDT) Received: from cm40.delta124.maxonline.com.sg (cm40.delta124.maxonline.com.sg [59.189.124.40]) by core3.amsl.com (Postfix) with ESMTP id 9B0263A6D38; Sun, 17 May 2009 10:59:22 -0700 (PDT) Date: Mon, 18 May 2009 02:00:54 +0800 From: dnsext-archive@lists.ietf.org Subject: =?koi8-r?B?THV4dXJ5IGhhbmRiYWdzoCBmb3Igc2FsZQ==?= To: Message-ID: <000d01c9d719$6c31d850$6400a8c0@expatriatejtc> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Limited edition Daytonas for sale now Click Here http://deflatewatches.cn Best Regards Johnathan Herrera AR From owner-namedroppers@ops.ietf.org Sun May 17 11:39:56 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CFD2428C217; Sun, 17 May 2009 11:39:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.627 X-Spam-Level: * X-Spam-Status: No, score=1.627 tagged_above=-999 required=5 tests=[AWL=-0.536, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DK0YO1o0iFeY; Sun, 17 May 2009 11:39:56 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D74A828C0EC; Sun, 17 May 2009 11:39:55 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5lDf-000AjD-MY for namedroppers-data0@psg.com; Sun, 17 May 2009 18:36:19 +0000 Received: from [209.86.89.66] (helo=elasmtp-spurfowl.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5lDT-000Ai7-5h for namedroppers@ops.ietf.org; Sun, 17 May 2009 18:36:13 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=jOVWBQPgXHYbh1DJoP8OUx5du4LxHqIllpeufZfiPU2p7dBra/rKaYWzhIcl/4Gk; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.101.24] (helo=ix.netcom.com) by elasmtp-spurfowl.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M5lDQ-0001IX-VK; Sun, 17 May 2009 14:36:05 -0400 Message-ID: <4A10590A.87B43BD@ix.netcom.com> Date: Sun, 17 May 2009 11:35:54 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Vixie CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNSCURVE References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <45463.1242580136@nsa.vix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688bbc64da5dfe9f7490cc44ad7eae142e4350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.101.24 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul and all, Paul has this about right. If Paul H doesn't want to pursue DNSCURVE for anti-competitive reasons seems to me that the discussion/debate is more about politically charged reasons rather than more reasonable technical ones. Paul Vixie wrote: > wrt dnscurve, there's no obvious (to me) technical reason not to pursue it. > however, that was also true of TUBA after the IPng decision was made, and i > think there can be obvious nontechnical reasons not to pursue something > that would compete for global market/mind/deployment share against DNSSEC. > > nontechnical decisions of that kind are above the pay grade of this WG, yet > must still be made from time to time. can an IETF process expert educate > us (or is it just me?) as to how we get a nontechnical ruling on this? > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: From owner-namedroppers@ops.ietf.org Sun May 17 12:30:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2889F28C224; Sun, 17 May 2009 12:30:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.951 X-Spam-Level: X-Spam-Status: No, score=-0.951 tagged_above=-999 required=5 tests=[AWL=-0.514, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oWmgCzLplB1B; Sun, 17 May 2009 12:30:11 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 87F6628C20A; Sun, 17 May 2009 12:30:11 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5lzp-000Exp-9h for namedroppers-data0@psg.com; Sun, 17 May 2009 19:26:05 +0000 Received: from [76.96.62.24] (helo=QMTA02.westchester.pa.mail.comcast.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5lzc-000Evp-Cs for namedroppers@ops.ietf.org; Sun, 17 May 2009 19:25:59 +0000 Received: from OMTA14.westchester.pa.mail.comcast.net ([76.96.62.60]) by QMTA02.westchester.pa.mail.comcast.net with comcast id sbS41b0041HzFnQ52jRU2f; Sun, 17 May 2009 19:25:28 +0000 Received: from MIKES-LAPTOM.comcast.net ([68.48.0.201]) by OMTA14.westchester.pa.mail.comcast.net with comcast id sjRq1b00L4LCBKY3ajRq8K; Sun, 17 May 2009 19:25:51 +0000 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sun, 17 May 2009 15:25:49 -0400 To: namedroppers@ops.ietf.org From: Michael StJohns Subject: Re: [dnsext] DNSCURVE In-Reply-To: <4A10590A.87B43BD@ix.netcom.com> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <45463.1242580136@nsa.vix.com> <4A10590A.87B43BD@ix.netcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Message-Id: Generally, working group work items are either specified in the charter, OR adopted after the submission and discussion of an Internet Draft. Rarely, they're adopted by the WG in plenary session prior to the submission of an ID to meet a well specified requirement - e.g. a hole filler. Without making a judgement on the technical (or political - *shesh*) merits of DNSCURVE, I haven't seen any argument why it deserves special consideration to bypass the above. If the proponents of DNSCURVE want it to be considered by the working group, I suggest they would have better luck submitting an ID for the group's consideration rather directing the members to a web site that appears to be organized more as propaganda (Webster definition 2 - the spreading of ideas for the purpose of helping a cause) than as a solid technical proposal. I'd further suggest, that absent such submission there's not a lot more to discuss that's appropriate for this mailing list. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 17 12:51:57 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B1FA028C232; Sun, 17 May 2009 12:51:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.415 X-Spam-Level: X-Spam-Status: No, score=-0.415 tagged_above=-999 required=5 tests=[AWL=-0.815, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id go6qqAMJC2Yy; Sun, 17 May 2009 12:51:57 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CA25328C224; Sun, 17 May 2009 12:51:56 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5mLq-000H9I-PE for namedroppers-data0@psg.com; Sun, 17 May 2009 19:48:50 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5mLe-000H7R-64 for namedroppers@ops.ietf.org; Sun, 17 May 2009 19:48:44 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id E38362FE9582 for ; Sun, 17 May 2009 19:48:36 +0000 (UTC) Date: Sun, 17 May 2009 15:48:35 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNSCURVE Message-ID: <20090517194834.GA3819@shinkuro.com> References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Dear colleagues, On Sat, May 16, 2009 at 06:11:36PM -0700, Paul Hoffman wrote: > the WG is "thanks but no thanks". Not having a stable reference is a > pretty heavy impediment, particularly when the DNS-specific parts > change. This is exactly where we got the last time DNSCurve was discussed on this list. See, for instance, the thread beginning at http://ops.ietf.org/lists/namedroppers/namedroppers.2008/msg01708.html, where Roy pleaded that we either get a draft or stop discussing it. Nobody is suggesting that the DNSEXT WG is the be-all and end-all of DNS, but in the IETF we have exactly one way to proceed, and that is to work on Internet Drafts. If nobody is willing to write such a draft, then we're out of luck. By the same token, if someone _is_ willing to write such a draft, then we have something to discuss. The same principle goes for the strategy involving TKEY and TSIG that Paul Vixie has proposed, but at least there what we need is a relatively simple draft explaining how to do something with an already implemented and standardized technology. I think if his suggestion found support, it would not be too hard to find an editor for the needed document. DNSCurve is rather more complicated, however, and the set of those who both understand it, and are likely to be willing to contribute the work to see an I-D through this working group, is small. If you are such a volunteer, I encourage you to say so and then to produce such a draft. In the absence of such a draft or planned draft, however, we have nothing to discuss adopting. So we should not discuss the merits of such adoption. Thanks, Andrew -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 17 14:08:57 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 818273A6D3A; Sun, 17 May 2009 14:08:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.638 X-Spam-Level: * X-Spam-Status: No, score=1.638 tagged_above=-999 required=5 tests=[AWL=-0.525, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BUAqA8SgEYgW; Sun, 17 May 2009 14:08:56 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 718003A6D27; Sun, 17 May 2009 14:08:56 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5nXP-000OMh-74 for namedroppers-data0@psg.com; Sun, 17 May 2009 21:04:51 +0000 Received: from [209.86.89.70] (helo=elasmtp-banded.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5nXA-000OK5-0D for namedroppers@ops.ietf.org; Sun, 17 May 2009 21:04:43 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=EIzxAI4FTXjV10GxmQFeEn/7sFzBGc7quwfrkGbtWWTBDnywjj5mnqlkjMW3xD2+; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.193] (helo=ix.netcom.com) by elasmtp-banded.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M5nX8-0006yn-DI; Sun, 17 May 2009 17:04:35 -0400 Message-ID: <4A107BD7.88A3E8B2@ix.netcom.com> Date: Sun, 17 May 2009 14:04:23 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Sullivan CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNSCURVE References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688fddaa3bdc6e404266ac516706c8f96cf350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.193 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Andrew and all, Yes, and the one size/method fits all is one of the central problems with the IETF. But it can and likely should be overcome to the benifit of all. Andrew Sullivan wrote: > > > Dear colleagues, > > On Sat, May 16, 2009 at 06:11:36PM -0700, Paul Hoffman wrote: > > > the WG is "thanks but no thanks". Not having a stable reference is a > > pretty heavy impediment, particularly when the DNS-specific parts > > change. > > This is exactly where we got the last time DNSCurve was discussed on > this list. See, for instance, the thread beginning at > http://ops.ietf.org/lists/namedroppers/namedroppers.2008/msg01708.html, > where Roy pleaded that we either get a draft or stop discussing it. > > Nobody is suggesting that the DNSEXT WG is the be-all and end-all of > DNS, but in the IETF we have exactly one way to proceed, and that is > to work on Internet Drafts. If nobody is willing to write such a > draft, then we're out of luck. By the same token, if someone _is_ > willing to write such a draft, then we have something to discuss. > > The same principle goes for the strategy involving TKEY and TSIG that > Paul Vixie has proposed, but at least there what we need is a > relatively simple draft explaining how to do something with an already > implemented and standardized technology. I think if his suggestion > found support, it would not be too hard to find an editor for the > needed document. DNSCurve is rather more complicated, however, and > the set of those who both understand it, and are likely to be willing > to contribute the work to see an I-D through this working group, is > small. If you are such a volunteer, I encourage you to say so and > then to produce such a draft. > > In the absence of such a draft or planned draft, however, we have > nothing to discuss adopting. So we should not discuss the merits of > such adoption. > > Thanks, > > Andrew > > -- > Andrew Sullivan > ajs@shinkuro.com > Shinkuro, Inc. > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 17 14:36:14 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B14E3A6DF3; Sun, 17 May 2009 14:36:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.355 X-Spam-Level: X-Spam-Status: No, score=-2.355 tagged_above=-999 required=5 tests=[AWL=0.244, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i08doOR9maWc; Sun, 17 May 2009 14:36:13 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 158753A6C0E; Sun, 17 May 2009 14:35:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5nz6-0001GB-Dm for namedroppers-data0@psg.com; Sun, 17 May 2009 21:33:28 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5nys-0001Er-51 for namedroppers@ops.ietf.org; Sun, 17 May 2009 21:33:20 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id E5221A254F for ; Sun, 17 May 2009 21:33:07 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNSCURVE In-Reply-To: Your message of "Sun, 17 May 2009 15:25:49 -0400." References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <45463.1242580136@nsa.vix.com> <4A10590A.87B43BD@ix.netcom.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Sun, 17 May 2009 21:33:07 +0000 Message-ID: <58262.1242595987@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Sun, 17 May 2009 15:25:49 -0400 > From: Michael StJohns > ... > If the proponents of DNSCURVE want it to be considered by the working > group, I suggest they would have better luck submitting an ID for the > group's consideration ... i think the dnscurve folks have made clear that they don't care whether IETF takes up their work or not. but here we see some cracks in the IETF model. for one thing, lack of interest in IETF's processes on the part of a technology's creators should not be a disqualifier. (RFC 2616, i'm looking at *you*.) if DNS CURVE or EDNS PING are championed by someone other than their original authors, they could still make it to RFC. but the more important crack exposed in the IETF model is that it doesn't take IETF action to create a global interoperable technology. (RFC 1001 and RFC 1002, i'm looking at *you*.) if DNS CURVE or EDNS PING or similar were variously/multiply implemented and then widely deployed (for example by Google, Akamai, Microsoft, Apple, and at least one F/L/OSS package) it would not matter whether IETF had thought it was a good idea, or not. > I'd further suggest, that absent such submission there's not a lot more > to discuss that's appropriate for this mailing list. i'm desperately afraid that you may be right. but in case not, let me ask that the IETF practice some leadership which includes some vision and some direction -- and not just act as a preventer/gatekeeper of ideas whose authors may have other options besides getting an RFC published. sometimes leadership isn't universally popular -- for example i was a TUBA fan and i knew that IPng could not possibly live up to its promises (and here we are!) and i was angry about the IPng decision at the time. however, i knew then as i know now that if we want to move a whole world and its industry, we're going to have to make some choices that favour one approach over another, and which preclude an open-ended solution set, and which sometimes cause us to finish multigenerational projects even when some people have different goals, like end to end dns security (DNSSEC) vs. hop by hop dns security (DNS CURVE and EDNS PING). > Date: Sun, 17 May 2009 15:48:35 -0400 > From: Andrew Sullivan > ... > Nobody is suggesting that the DNSEXT WG is the be-all and end-all of > DNS, but in the IETF we have exactly one way to proceed, and that is > to work on Internet Drafts. If nobody is willing to write such a > draft, then we're out of luck. By the same token, if someone _is_ > willing to write such a draft, then we have something to discuss. what if someone is willing to write an internet draft but the idea they want to advance is not strategically compatible with the IETF's stated long term aims? what's the review process on long term strategy? if it isn't meant to be discussed in the WG, then where do i need to go if i want to discuss (and in this case make explicit) long term dns security strategy in the IETF? > The same principle goes for the strategy involving TKEY and TSIG that > Paul Vixie has proposed, but at least there what we need is a relatively > simple draft explaining how to do something with an already implemented > and standardized technology. I think if his suggestion found support, it > would not be too hard to find an editor for the needed document. i'm not sure what this means. several people supported EDNS PING in the recent discussion here, and several have indicated support for DNS CURVE as well. of course, there were also detractors. how does the WG propose to measure early support well enough to know whether to seek a document editor? right now we have a qualification for "accepting a document" which counts only on five people willing to review it... with no mention of whether those five should be generally supportive... and with no mention of whether the idea itself should be compatible with the IETF's long term strategy for related technologies. i find the criteria and process "muddy." > DNSCurve is rather more complicated, however, and the set of those who > both understand it, and are likely to be willing to contribute the work > to see an I-D through this working group, is small. If you are such a > volunteer, I encourage you to say so and then to produce such a draft. > > In the absence of such a draft or planned draft, however, we have nothing > to discuss adopting. So we should not discuss the merits of such > adoption. i think several of us are wondering how to decide whether to write an I-D at all. that's why i'm asking leadership-related questions about strategy. and all of that has to be worked out before we can say that without a draft there is nothing to discuss. paul -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 17 15:43:51 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 745153A6BE9; Sun, 17 May 2009 15:43:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.278 X-Spam-Level: * X-Spam-Status: No, score=1.278 tagged_above=-999 required=5 tests=[AWL=-0.144, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lm3kQIl9YmiY; Sun, 17 May 2009 15:43:50 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 11F303A682A; Sun, 17 May 2009 15:43:50 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5p0z-0006zB-Um for namedroppers-data0@psg.com; Sun, 17 May 2009 22:39:29 +0000 Received: from [209.86.89.66] (helo=elasmtp-spurfowl.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5p0l-0006xI-PD for namedroppers@ops.ietf.org; Sun, 17 May 2009 22:39:23 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=A0uO293flgwGm0DU9uEzjaMjodTHH8RNVYnfdxL32UQ0ytJlXmgqv7gdNOweiHKr; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.193] (helo=ix.netcom.com) by elasmtp-spurfowl.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M5p0g-0001iz-JV; Sun, 17 May 2009 18:39:12 -0400 Message-ID: <4A109203.970F4D47@ix.netcom.com> Date: Sun, 17 May 2009 15:38:59 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Vixie CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNSCURVE References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <45463.1242580136@nsa.vix.com> <4A10590A.87B43BD@ix.netcom.com> <58262.1242595987@nsa.vix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688a11cc484a0b1c1b5cd00b75109c5e064350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.193 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul and all, Well said here... >:) Paul Vixie wrote: > > Date: Sun, 17 May 2009 15:25:49 -0400 > > From: Michael StJohns > > ... > > If the proponents of DNSCURVE want it to be considered by the working > > group, I suggest they would have better luck submitting an ID for the > > group's consideration ... > > i think the dnscurve folks have made clear that they don't care whether > IETF takes up their work or not. but here we see some cracks in the IETF > model. for one thing, lack of interest in IETF's processes on the part of > a technology's creators should not be a disqualifier. (RFC 2616, i'm > looking at *you*.) if DNS CURVE or EDNS PING are championed by someone > other than their original authors, they could still make it to RFC. > > but the more important crack exposed in the IETF model is that it doesn't > take IETF action to create a global interoperable technology. (RFC 1001 > and RFC 1002, i'm looking at *you*.) if DNS CURVE or EDNS PING or similar > were variously/multiply implemented and then widely deployed (for example > by Google, Akamai, Microsoft, Apple, and at least one F/L/OSS package) it > would not matter whether IETF had thought it was a good idea, or not. > > > I'd further suggest, that absent such submission there's not a lot more > > to discuss that's appropriate for this mailing list. > > i'm desperately afraid that you may be right. but in case not, let me ask > that the IETF practice some leadership which includes some vision and some > direction -- and not just act as a preventer/gatekeeper of ideas whose > authors may have other options besides getting an RFC published. sometimes > leadership isn't universally popular -- for example i was a TUBA fan and i > knew that IPng could not possibly live up to its promises (and here we are!) > and i was angry about the IPng decision at the time. however, i knew then > as i know now that if we want to move a whole world and its industry, we're > going to have to make some choices that favour one approach over another, > and which preclude an open-ended solution set, and which sometimes cause us > to finish multigenerational projects even when some people have different > goals, like end to end dns security (DNSSEC) vs. hop by hop dns security > (DNS CURVE and EDNS PING). > > > Date: Sun, 17 May 2009 15:48:35 -0400 > > From: Andrew Sullivan > > ... > > Nobody is suggesting that the DNSEXT WG is the be-all and end-all of > > DNS, but in the IETF we have exactly one way to proceed, and that is > > to work on Internet Drafts. If nobody is willing to write such a > > draft, then we're out of luck. By the same token, if someone _is_ > > willing to write such a draft, then we have something to discuss. > > what if someone is willing to write an internet draft but the idea they > want to advance is not strategically compatible with the IETF's stated long > term aims? what's the review process on long term strategy? if it isn't > meant to be discussed in the WG, then where do i need to go if i want to > discuss (and in this case make explicit) long term dns security strategy in > the IETF? > > > The same principle goes for the strategy involving TKEY and TSIG that > > Paul Vixie has proposed, but at least there what we need is a relatively > > simple draft explaining how to do something with an already implemented > > and standardized technology. I think if his suggestion found support, it > > would not be too hard to find an editor for the needed document. > > i'm not sure what this means. several people supported EDNS PING in the > recent discussion here, and several have indicated support for DNS CURVE > as well. of course, there were also detractors. how does the WG propose > to measure early support well enough to know whether to seek a document > editor? right now we have a qualification for "accepting a document" which > counts only on five people willing to review it... with no mention of > whether those five should be generally supportive... and with no mention > of whether the idea itself should be compatible with the IETF's long term > strategy for related technologies. i find the criteria and process "muddy." > > > DNSCurve is rather more complicated, however, and the set of those who > > both understand it, and are likely to be willing to contribute the work > > to see an I-D through this working group, is small. If you are such a > > volunteer, I encourage you to say so and then to produce such a draft. > > > > In the absence of such a draft or planned draft, however, we have nothing > > to discuss adopting. So we should not discuss the merits of such > > adoption. > > i think several of us are wondering how to decide whether to write an I-D > at all. that's why i'm asking leadership-related questions about strategy. > and all of that has to be worked out before we can say that without a draft > there is nothing to discuss. > > paul > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From northerlyxun@garyhaseldine.com Sun May 17 17:13:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6146A3A69A7; Sun, 17 May 2009 17:13:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -28.918 X-Spam-Level: X-Spam-Status: No, score=-28.918 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_BR=0.955, HELO_EQ_DSL=1.129, HOST_EQ_BR=1.295, J_CHICKENPOX_48=0.6, J_CHICKENPOX_73=0.6, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvTS7VitLug8; Sun, 17 May 2009 17:13:40 -0700 (PDT) Received: from 201-14-135-244.bnut3702.dsl.brasiltelecom.net.br (200-101-253-30.bnut3702.dsl.brasiltelecom.net.br [200.101.253.30]) by core3.amsl.com (Postfix) with ESMTP id CDB8D3A6839; Sun, 17 May 2009 17:13:37 -0700 (PDT) Date: Sun, 17 May 2009 21:15:00 -0300 From: emu-request@ietf.org Subject: Great discounts for luxury items To: Message-ID: <000d01c9d74d$aed15da0$6400a8c0@northerlyxun> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Hi! Am a repeated customer. VERY satisfied with products and service - excellent quality watches, fast shipping and good e-mail contact. Rollin Lucas UK Thanks! http://catharsesaglow.cn ------------------------------------------------- Cartier+Box Sets+Bracelet 15% OFF (offer available only when you buy 2 or more watches) ------------------------------------------------ http://catharsesaglow.cn From owner-namedroppers@ops.ietf.org Mon May 18 00:48:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37E7628C24A; Mon, 18 May 2009 00:48:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.72 X-Spam-Level: X-Spam-Status: No, score=0.72 tagged_above=-999 required=5 tests=[AWL=-0.030, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsiBB6XwHbhE; Mon, 18 May 2009 00:48:29 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A109928C105; Mon, 18 May 2009 00:48:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xVH-0000gJ-PV for namedroppers-data0@psg.com; Mon, 18 May 2009 07:43:19 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xV3-0000dh-E3 for namedroppers@ops.ietf.org; Mon, 18 May 2009 07:43:13 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M5xUy-0000N8-H4; Mon, 18 May 2009 09:43:00 +0200 Received: from fweimer by bfk.de with local id 1M5xUt-00078o-AH; Mon, 18 May 2009 09:42:55 +0200 To: Matthew Dempsky Cc: Paul Hoffman , Federico Lucifredi , "namedroppers@ops.ietf.org" Subject: Re: [dnsext] DNSCURVE References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> From: Florian Weimer Date: Mon, 18 May 2009 09:42:55 +0200 In-Reply-To: (Matthew Dempsky's message of "Sat, 16 May 2009 12:03:56 -0700") Message-ID: <82iqjyzwjk.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Matthew Dempsky: > If you have questions about DNSCurve that are not adequately answered > by the dnscurve.org web site, then I'll be happy to try to answer them > here. Why has DNSCURVE a fallback to port 53? Why don't implementations switch to a different port when they see DNSCURVE support in the NS record? --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 00:57:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 16D2228C197; Mon, 18 May 2009 00:57:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.07 X-Spam-Level: ** X-Spam-Status: No, score=2.07 tagged_above=-999 required=5 tests=[AWL=-1.377, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FRT_POSSIBLE=2.697, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwzH4ks40NHh; Mon, 18 May 2009 00:57:05 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 15D343A6836; Mon, 18 May 2009 00:57:05 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xgQ-0001q7-Rd for namedroppers-data0@psg.com; Mon, 18 May 2009 07:54:50 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xg7-0001nq-P7 for namedroppers@ops.ietf.org; Mon, 18 May 2009 07:54:44 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M5xg9-0001nd-Aw for namedroppers@ops.ietf.org; Mon, 18 May 2009 09:54:33 +0200 Received: from fweimer by bfk.de with local id 1M5xg3-0005Ct-M3 for namedroppers@ops.ietf.org; Mon, 18 May 2009 09:54:27 +0200 To: namedroppers@ops.ietf.org Subject: [dnsext] Increasing hash collision resilience From: Florian Weimer Date: Mon, 18 May 2009 09:54:27 +0200 Message-ID: <82eiumzw0c.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Currently, DNSSEC is rather exposed to near-state-of-the-art collision attacks when the signature on DS records is computed. (This data comes from a potential attacker. Other signatures cover self-created data and are thus not subject to current attacks, except for signatures on externally submitted zone contents, but this can be addressed by delegation.) In order to counter these attacks, it's possible (and recommended) to prefix the signed document with a nonce. Currently, there is no good way to do this. However, it would be posssible to put this nonce into a DS record with the Digest Type 0, Key Tag 0, which is currently reserved. Is there interest in a draft which sets aside Digest Type 0 for this purpose? Any other Digest Type doesn't work because attacker-controlled data might sort in front of it. No change in authoritative reservers, resolvers, or validators are required beyond relaxation of overly restrict checks on DNSSEC Digest Types. Only zone signers need to be updated to generate the nonces. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 01:01:55 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B8EB3A6F54; Mon, 18 May 2009 01:01:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.942 X-Spam-Level: X-Spam-Status: No, score=-105.942 tagged_above=-999 required=5 tests=[AWL=0.307, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3RoACZi3iXU; Mon, 18 May 2009 01:01:49 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F24D93A6C73; Mon, 18 May 2009 01:01:48 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xkI-0002Iy-Qf for namedroppers-data0@psg.com; Mon, 18 May 2009 07:58:50 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xjv-0002Gi-V2 for namedroppers@ops.ietf.org; Mon, 18 May 2009 07:58:43 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 896CC1C0108; Mon, 18 May 2009 09:58:26 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 852C71C0094; Mon, 18 May 2009 09:58:26 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 82CB77B003D; Mon, 18 May 2009 09:58:26 +0200 (CEST) Date: Mon, 18 May 2009 09:58:26 +0200 From: Stephane Bortzmeyer To: namedroppers@ops.ietf.org Cc: "dnsext-chairs@tools.ietf.org" , namedroppers@ops.ietf.org Subject: [dnsext] Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Message-ID: <20090518075826.GA936@nic.fr> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 16, 2009 at 12:02:57AM +0200, bert hubert wrote a message of 65 lines which said: > I have also been pointedly informed [3] that EDNS-PING, which > requires an EDNS option code, can't succeed as an individual draft > either since only the DNSEXT WG can authorize the issue of such an > EDNS option code from IANA. > [3] > http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00676.html Yes, this is what is written in the message you mention but I am not convinced. RCF 2671 says: any published RFC (including Informational, Experimental, or BCP) should be grounds for allocation of an EDNS Option Code. And the IANA registry says: Registry Name: DNS EDNS0 Options Reference: [RFC5001] Registration Procedures: Specification required And "Specification required" is defined in RFC 5226 as not even requesting a RFC. So, I really believe that the message you mention was wrong. EDNS-PING can have its option code through an individual Informational RFC. (There are, after all, 65535 possible option codes.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From shylockianotv70@heliairvenice.com Mon May 18 01:03:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 18A1A3A6FF5; Mon, 18 May 2009 01:03:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -36.242 X-Spam-Level: X-Spam-Status: No, score=-36.242 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DIET_1=0.083, DOS_OE_TO_MX=2.75, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, HS_INDEX_PARAM=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, STOX_REPLY_TYPE=0.001, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-tawt7fCo+Y; Mon, 18 May 2009 01:03:02 -0700 (PDT) Received: from host209-97-static.29-79-b.business.telecomitalia.it (host209-97-static.29-79-b.business.telecomitalia.it [79.29.97.209]) by core3.amsl.com (Postfix) with ESMTP id 03F8A3A6FF8; Mon, 18 May 2009 01:03:01 -0700 (PDT) Date: Mon, 18 May 2009 10:04:12 +0100 From: disman-bounces@ietf.org Subject: Get the body you always wanted , Try Acai Berry. To: Message-ID: <000d01c9d78f$3aee9820$6400a8c0@shylockianotv70> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Acai Burns your fat away look and feel great. Start your new life today with a a free trial of Acai FLush. Please Visit http://www.ahambof.net/?kbhyglheaipa From vizor864@herfamedgoodlooks.com Mon May 18 01:03:34 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 02FDC3A6FF9 for ; Mon, 18 May 2009 01:03:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.012 X-Spam-Level: X-Spam-Status: No, score=-15.012 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DIET_1=0.083, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, FS_WEIGHT_LOSS=2.134, GB_OPRAH=2, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_FR=0.35, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HS_INDEX_PARAM=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLYJP9pX89vC for ; Mon, 18 May 2009 01:03:33 -0700 (PDT) Received: from 81-65-4-14.rev.numericable.fr (81-65-4-14.rev.numericable.fr [81.65.4.14]) by core3.amsl.com (Postfix) with ESMTP id 2E2FF3A6FF8 for ; Mon, 18 May 2009 01:03:26 -0700 (PDT) Date: Mon, 18 May 2009 10:03:15 +0100 From: dnsext-archive@lists.ietf.org Subject: Oprah Weight loss soloution , Learn about Acai Berry. To: Message-ID: <000d01c9d78f$18de3240$6400a8c0@vizor864> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Look Great , Let Acai Berry Help. Get the worlds # 1 food Acai Berry in your diet. Please Visit http://www.ahambof.net/?kbhyglheaipa From owner-namedroppers@ops.ietf.org Mon May 18 01:13:45 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7576C3A6C8A; Mon, 18 May 2009 01:13:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.948 X-Spam-Level: X-Spam-Status: No, score=-105.948 tagged_above=-999 required=5 tests=[AWL=0.301, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YU7C+umPEGpC; Mon, 18 May 2009 01:13:44 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4776728C24C; Mon, 18 May 2009 01:13:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xw2-0003dQ-6r for namedroppers-data0@psg.com; Mon, 18 May 2009 08:10:58 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5xvo-0003c9-BF for namedroppers@ops.ietf.org; Mon, 18 May 2009 08:10:51 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id A2E101C0140; Mon, 18 May 2009 10:10:43 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 9E3301C010F; Mon, 18 May 2009 10:10:43 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 9BA5D7B0037; Mon, 18 May 2009 10:10:43 +0200 (CEST) Date: Mon, 18 May 2009 10:10:43 +0200 From: Stephane Bortzmeyer To: Matthew Dempsky Cc: Federico Lucifredi , namedroppers@ops.ietf.org Subject: [dnsext] Re: DNSCURVE Message-ID: <20090518081043.GC936@nic.fr> References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 16, 2009 at 06:11:36PM -0700, Paul Hoffman wrote a message of 17 lines which said: > If a "DNSCurve developer" wants to spend the hour or two it takes to > convert the disparate stuff from the web site into an Internet > Draft, that would be lovely. Of course, an Internet-Draft is mandatory if the idea is to bring the work to the IETF but, since it is not the case, I would be sufficiently happy with a detailed description of the protocol (the closest thing to a specification seems to be ) *and* to a serious improvement of the FUD^H^H^Hadvocacy Web page at , for instance by adding in the Security section lines like: Type of security DNSSEC DNSCURVE Integrity despite Protects against Does not protect against rogue secondary name it it servers of resolvers Ability to follow The actual algo- Only one algorithm, the progress in rithm is not hardwired if it is broken, cryptography in the protocol. New everything is over. algos can be added. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 01:19:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C71E63A6F6B; Mon, 18 May 2009 01:19:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.954 X-Spam-Level: X-Spam-Status: No, score=-105.954 tagged_above=-999 required=5 tests=[AWL=0.295, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYjlSvME0HLG; Mon, 18 May 2009 01:19:18 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E35B73A6C8A; Mon, 18 May 2009 01:19:17 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5y2K-0004G4-1D for namedroppers-data0@psg.com; Mon, 18 May 2009 08:17:28 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5y26-0004Di-5i for namedroppers@ops.ietf.org; Mon, 18 May 2009 08:17:20 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 69B481C0124; Mon, 18 May 2009 10:17:13 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 64F611C010F; Mon, 18 May 2009 10:17:13 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 62CE17B0037; Mon, 18 May 2009 10:17:13 +0200 (CEST) Date: Mon, 18 May 2009 10:17:13 +0200 From: Stephane Bortzmeyer To: Andrew Sullivan Cc: namedroppers@ops.ietf.org Subject: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE Message-ID: <20090518081713.GD936@nic.fr> References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090517194834.GA3819@shinkuro.com> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sun, May 17, 2009 at 03:48:35PM -0400, Andrew Sullivan wrote a message of 49 lines which said: > Nobody is suggesting that the DNSEXT WG is the be-all and end-all of > DNS, but in the IETF we have exactly one way to proceed, and that is > to work on Internet Drafts. If nobody is willing to write such a > draft, then we're out of luck. Which leads to a question (which is not only related to DNScurve but also to the EDNS-PING or cookies assassinations): what body is in charge of the DNS security? Not this WG, which only examinates things properly formatted as I-D, and is more and more a DNSSEC-only WG. So, who? ICANN SSAC? ITU WG-nnn? DNS-OARC? US DHS? Microsoft with its Conficker bounties? I suspect the answer is "No one does, that's the Internet way" but it may be too frightening for my little heart. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 01:22:55 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F6B928C1D3; Mon, 18 May 2009 01:22:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.96 X-Spam-Level: X-Spam-Status: No, score=-105.96 tagged_above=-999 required=5 tests=[AWL=0.289, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ARxeO2AaVw2P; Mon, 18 May 2009 01:22:54 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 315813A6AE2; Mon, 18 May 2009 01:22:54 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5y62-0004iU-PD for namedroppers-data0@psg.com; Mon, 18 May 2009 08:21:18 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5y5o-0004gq-6E for namedroppers@ops.ietf.org; Mon, 18 May 2009 08:21:11 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 785071C0144; Mon, 18 May 2009 10:21:03 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 7384C1C010F; Mon, 18 May 2009 10:21:03 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 674687B0039; Mon, 18 May 2009 10:21:03 +0200 (CEST) Date: Mon, 18 May 2009 10:21:03 +0200 From: Stephane Bortzmeyer To: Matthew Dempsky Cc: Federico Lucifredi , namedroppers@ops.ietf.org Subject: [dnsext] Re: DNSCURVE Message-ID: <20090518082103.GA4853@nic.fr> References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090518081043.GC936@nic.fr> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 10:10:43AM +0200, Stephane Bortzmeyer wrote a message of 31 lines which said: > Type of security DNSSEC DNSCURVE > > Integrity despite Protects against Does not protect against > rogue secondary name it it > servers of resolvers Of course, it was "rogue secondary name servers OR resolvers". -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 01:45:35 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7857728C247; Mon, 18 May 2009 01:45:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.827 X-Spam-Level: X-Spam-Status: No, score=-3.827 tagged_above=-999 required=5 tests=[AWL=-0.279, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, MIME_ASCII0=1.5, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mbl9PLZLsBig; Mon, 18 May 2009 01:45:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 890943A6C8A; Mon, 18 May 2009 01:45:28 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5yR3-0007Ow-Av for namedroppers-data0@psg.com; Mon, 18 May 2009 08:43:01 +0000 Received: from [194.100.2.122] (helo=smtp2.tdc.fi) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5yQZ-0007JN-I0 for namedroppers@ops.ietf.org; Mon, 18 May 2009 08:42:45 +0000 Received: from fi-hel2ex01.nordiclan.net (unknown [194.100.219.27]) by smtp2.tdc.fi (Postfix) with ESMTP id E17516B2C0E for ; Mon, 18 May 2009 11:42:27 +0300 (EEST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Subject: RE: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE Date: Mon, 18 May 2009 11:40:23 +0300 Message-ID: <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE Thread-Index: AcnXk9fS97s/BWMZRsygbW+F8Yq21AAAEhtw References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> From: "Aki Tuomi" To: Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBvd25lci1uYW1lZHJvcHBlcnNA b3BzLmlldGYub3JnIFttYWlsdG86b3duZXItDQo+IG5hbWVkcm9wcGVyc0BvcHMuaWV0Zi5vcmdd IE9uIEJlaGFsZiBPZiBTdGVwaGFuZSBCb3J0em1leWVyDQo+IFNlbnQ6IE1vbmRheSwgTWF5IDE4 LCAyMDA5IDExOjE3IEFNDQo+IFRvOiBBbmRyZXcgU3VsbGl2YW4NCj4gQ2M6IG5hbWVkcm9wcGVy c0BvcHMuaWV0Zi5vcmcNCj4gU3ViamVjdDogW2Ruc2V4dF0gU2VjdXJpdHkgb2YgdGhlIEROUywg aG9saXN0aWMgYXBwcm9hY2ggKFdhczogRE5TQ1VSVkUNCj4gDQo+IE9uIFN1biwgTWF5IDE3LCAy MDA5IGF0IDAzOjQ4OjM1UE0gLTA0MDAsDQo+ICBBbmRyZXcgU3VsbGl2YW4gPGFqc0BzaGlua3Vy by5jb20+IHdyb3RlDQo+ICBhIG1lc3NhZ2Ugb2YgNDkgbGluZXMgd2hpY2ggc2FpZDoNCj4gDQo+ ID4gTm9ib2R5IGlzIHN1Z2dlc3RpbmcgdGhhdCB0aGUgRE5TRVhUIFdHIGlzIHRoZSBiZS1hbGwg YW5kIGVuZC1hbGwgb2YNCj4gPiBETlMsIGJ1dCBpbiB0aGUgSUVURiB3ZSBoYXZlIGV4YWN0bHkg b25lIHdheSB0byBwcm9jZWVkLCBhbmQgdGhhdCBpcw0KPiA+IHRvIHdvcmsgb24gSW50ZXJuZXQg RHJhZnRzLiAgSWYgbm9ib2R5IGlzIHdpbGxpbmcgdG8gd3JpdGUgc3VjaCBhDQo+ID4gZHJhZnQs IHRoZW4gd2UncmUgb3V0IG9mIGx1Y2suDQo+IA0KPiBXaGljaCBsZWFkcyB0byBhIHF1ZXN0aW9u ICh3aGljaCBpcyBub3Qgb25seSByZWxhdGVkIHRvIEROU2N1cnZlIGJ1dA0KPiBhbHNvIHRvIHRo ZSBFRE5TLVBJTkcgb3IgY29va2llcyBhc3Nhc3NpbmF0aW9ucyk6IHdoYXQgYm9keSBpcyBpbg0K PiBjaGFyZ2Ugb2YgdGhlIEROUyBzZWN1cml0eT8gTm90IHRoaXMgV0csIHdoaWNoIG9ubHkgZXhh bWluYXRlcyB0aGluZ3MNCj4gcHJvcGVybHkgZm9ybWF0dGVkIGFzIEktRCwgYW5kIGlzIG1vcmUg YW5kIG1vcmUgYSBETlNTRUMtb25seSBXRy4gU28sDQo+IHdobz8gSUNBTk4gU1NBQz8gSVRVIFdH LW5ubj8gRE5TLU9BUkM/IFVTIERIUz8gTWljcm9zb2Z0IHdpdGggaXRzDQo+IENvbmZpY2tlciBi b3VudGllcz8NCj4gDQo+IEkgc3VzcGVjdCB0aGUgYW5zd2VyIGlzICJObyBvbmUgZG9lcywgdGhh dCdzIHRoZSBJbnRlcm5ldCB3YXkiIGJ1dCBpdA0KPiBtYXkgYmUgdG9vIGZyaWdodGVuaW5nIGZv ciBteSBsaXR0bGUgaGVhcnQuDQo+IA0KDQpJIGhhdmUgYSBiYWQgZmVlbGluZyB0aGF0IHRoZSBj b3JyZWN0IGFuc3dlciAoYWx0aG91Z2ggdGhleSB3b24ndCBhZG1pdCBpdCkgaXMgdGhhdCBJU0Mg aXMgdGhlIG9uZSB3aG8gZGVjaWRlcy4gQWZ0ZXIgYWxsLCB0aGVpciBwcm9wb25lbnRzIHNlZW0g dG8gZ2V0IHRoZSAiZmluYWwgc2F5IiBvbiBob3cgdGhpbmdzIGFyZSBkb25lLiANCiANCi0tIGNt DQoNCj4gLS0NCj4gdG8gdW5zdWJzY3JpYmUgc2VuZCBhIG1lc3NhZ2UgdG8gbmFtZWRyb3BwZXJz LXJlcXVlc3RAb3BzLmlldGYub3JnIHdpdGgNCj4gdGhlIHdvcmQgJ3Vuc3Vic2NyaWJlJyBpbiBh IHNpbmdsZSBsaW5lIGFzIHRoZSBtZXNzYWdlIHRleHQgYm9keS4NCj4gYXJjaGl2ZTogPGh0dHA6 Ly9vcHMuaWV0Zi5vcmcvbGlzdHMvbmFtZWRyb3BwZXJzLz4NCg== -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 02:30:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4889E3A6FF8; Mon, 18 May 2009 02:30:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.702 X-Spam-Level: X-Spam-Status: No, score=-4.702 tagged_above=-999 required=5 tests=[AWL=-0.207, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9o71TZmwtPa; Mon, 18 May 2009 02:30:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2E5783A6AA5; Mon, 18 May 2009 02:30:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5z7o-000BY8-15 for namedroppers-data0@psg.com; Mon, 18 May 2009 09:27:12 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5z7a-000BWQ-EE for namedroppers@ops.ietf.org; Mon, 18 May 2009 09:27:04 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4I9Pv3s023595; Mon, 18 May 2009 09:25:57 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4I9PvPh023594; Mon, 18 May 2009 09:25:57 GMT Date: Mon, 18 May 2009 09:25:57 +0000 From: bmanning@vacation.karoshi.com To: Aki Tuomi Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE Message-ID: <20090518092557.GB23462@vacation.karoshi.com.> References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 11:40:23AM +0300, Aki Tuomi wrote: > > -----Original Message----- > > From: owner-namedroppers@ops.ietf.org [mailto:owner- > > namedroppers@ops.ietf.org] On Behalf Of Stephane Bortzmeyer > > Sent: Monday, May 18, 2009 11:17 AM > > To: Andrew Sullivan > > Cc: namedroppers@ops.ietf.org > > Subject: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE > > > > On Sun, May 17, 2009 at 03:48:35PM -0400, > > Andrew Sullivan wrote > > a message of 49 lines which said: > > > > > Nobody is suggesting that the DNSEXT WG is the be-all and end-all of > > > DNS, but in the IETF we have exactly one way to proceed, and that is > > > to work on Internet Drafts. If nobody is willing to write such a > > > draft, then we're out of luck. > > > > Which leads to a question (which is not only related to DNScurve but > > also to the EDNS-PING or cookies assassinations): what body is in > > charge of the DNS security? Not this WG, which only examinates things > > properly formatted as I-D, and is more and more a DNSSEC-only WG. So, > > who? ICANN SSAC? ITU WG-nnn? DNS-OARC? US DHS? Microsoft with its > > Conficker bounties? > > > > I suspect the answer is "No one does, that's the Internet way" but it > > may be too frightening for my little heart. > > > > I have a bad feeling that the correct answer (although they won't admit it) is that ISC is the one who decides. After all, their proponents seem to get the "final say" on how things are done. > > -- cm > s/ISC/Dominat DNS implementors/ --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From delignat@online.fr Mon May 18 05:03:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E3A528C2B1; Mon, 18 May 2009 05:03:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -27.03 X-Spam-Level: X-Spam-Status: No, score=-27.03 tagged_above=-999 required=5 tests=[AWL=-10.439, BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, FRT_ROLEX=3.878, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wG-WitSfLv6V; Mon, 18 May 2009 05:03:21 -0700 (PDT) Received: from h94-75-37-38.ufamts.ru (h94-75-37-38.ufamts.ru [94.75.37.38]) by core3.amsl.com (Postfix) with SMTP id 5F9103A702B; Mon, 18 May 2009 05:03:07 -0700 (PDT) X-Originating-IP: 125.63.176.184 by 184.52.254.160; Mon, 18 May 2009 13:58:43 +0100 Message-ID: To: "Dianna Love" From: "Nolan Walker" Subject: Trim line or sport watch? You choose Date: Mon, 18 May 2009 08:04:43 -0500 Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Hello Ina How about buying yourself a two Ro lex watches the same day? It's not impossible, mostly when you can get them for a couple hundred bucks http://www.reppzlis.com/ From owner-namedroppers@ops.ietf.org Mon May 18 05:28:16 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33C6A3A6FFB; Mon, 18 May 2009 05:28:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.103 X-Spam-Level: X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02A2pl9uPDi4; Mon, 18 May 2009 05:28:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4AAAD3A6FE0; Mon, 18 May 2009 05:28:15 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M61tG-00088I-SO for namedroppers-data0@psg.com; Mon, 18 May 2009 12:24:22 +0000 Received: from [69.17.117.8] (helo=mail6.sea5.speakeasy.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M61t4-00084I-JL for namedroppers@ops.ietf.org; Mon, 18 May 2009 12:24:16 +0000 Received: (qmail 10381 invoked from network); 18 May 2009 12:24:08 -0000 Received: from dsl092-066-189.bos1.dsl.speakeasy.net (HELO spaceman.local) (federico@[66.92.66.189]) (envelope-sender ) by mail6.sea5.speakeasy.net (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 18 May 2009 12:24:08 -0000 Message-ID: <4A115366.9050105@post.harvard.edu> Date: Mon, 18 May 2009 08:24:06 -0400 From: Federico Lucifredi User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Stephane Bortzmeyer CC: Matthew Dempsky , namedroppers@ops.ietf.org Subject: Re: [dnsext] Re: DNSCURVE References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> In-Reply-To: <20090518081043.GC936@nic.fr> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: These two improvements would largely satisy what I'm looking for. Best-F Stephane Bortzmeyer wrote: > On Sat, May 16, 2009 at 06:11:36PM -0700, > Paul Hoffman wrote > a message of 17 lines which said: > >> If a "DNSCurve developer" wants to spend the hour or two it takes to >> convert the disparate stuff from the web site into an Internet >> Draft, that would be lovely. > > Of course, an Internet-Draft is mandatory if the idea is to bring the > work to the IETF but, since it is not the case, I would be > sufficiently happy with a detailed description of the protocol (the > closest thing to a specification seems to be > ) *and* to a serious improvement of the > FUD^H^H^Hadvocacy Web page at , for > instance by adding in the Security section lines like: > > Type of security DNSSEC DNSCURVE > > Integrity despite Protects against Does not protect against > rogue secondary name it it > servers of resolvers > > Ability to follow The actual algo- Only one algorithm, > the progress in rithm is not hardwired if it is broken, > cryptography in the protocol. New everything is over. > algos can be added. > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: -- _________________________________________ -- "'Problem' is a bleak word for challenge" - Richard Fish (Federico L. Lucifredi) - lucifred@post.harvard.edu - GnuPG 0x4A73884C -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 06:01:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CEF9C28C2FF; Mon, 18 May 2009 06:01:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.762 X-Spam-Level: X-Spam-Status: No, score=0.762 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tE1n333s8gBM; Mon, 18 May 2009 06:01:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 98B633A6C42; Mon, 18 May 2009 06:00:49 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M62PJ-000EcE-4P for namedroppers-data0@psg.com; Mon, 18 May 2009 12:57:29 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M62P7-000EUV-87 for namedroppers@ops.ietf.org; Mon, 18 May 2009 12:57:22 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M62Ot-0005YM-HG for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:57:03 +0200 Received: from fweimer by bfk.de with local id 1M62Oo-0007nz-Fa for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:56:58 +0200 To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Increasing hash collision resilience References: <82eiumzw0c.fsf@mid.bfk.de> From: Florian Weimer Date: Mon, 18 May 2009 14:56:58 +0200 In-Reply-To: <82eiumzw0c.fsf@mid.bfk.de> (Florian Weimer's message of "Mon, 18 May 2009 09:54:27 +0200") Message-ID: <82eiumh8md.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Florian Weimer: > Currently, DNSSEC is rather exposed to near-state-of-the-art collision > attacks when the signature on DS records is computed. I've been asked privately how such an attack would be carried out. The attack sketched below is analogous to the one by Lenstra et al. on MD5 CAs. Suppose that ORG. is signed using DNSSEC, and you want to attack EXAMPLE.ORG., that is, get a valid signature on a DS RRset for EXAMPLE.ORG. which contains hashes of keys you control. We haven't got a second preimage attack, so we cannot use the original EXAMPLE.ORG. DS RRset and attack it directly. Instead, we generate our own key pair, and create two DS RRsets which hash to the same value. The second RRset is for a domain different from EXAMPLE.ORG. (the name does not matter, as long as it is available for registration), and both RRsets are stuffed with additional DS RRs, ignored by validators, to obtain a collision. We request a signed delegation for the second domai nname from the .ORG. zone operator, and thanks to the collision, it is also valid for EXAMPLE.ORG. (It's probably necessary to register several domains in parallel because there is some uncertainty in the validity period of the RRSIG record.) Right now, this is rather theoretical because a sufficiently potent attack for SHA-1 has not been published. However, it is widely believed that such attacks are just around the corner. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 06:24:10 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A54893A6A31; Mon, 18 May 2009 06:24:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.322 X-Spam-Level: X-Spam-Status: No, score=-0.322 tagged_above=-999 required=5 tests=[AWL=-0.449, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E4oljrtEOkYV; Mon, 18 May 2009 06:24:10 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D073B3A68FC; Mon, 18 May 2009 06:24:09 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M62mD-000IsO-B5 for namedroppers-data0@psg.com; Mon, 18 May 2009 13:21:09 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M62m0-000Iqa-K8 for namedroppers@ops.ietf.org; Mon, 18 May 2009 13:21:03 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4IDKsHa025691 for ; Mon, 18 May 2009 09:20:54 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4IDKsdk025690 for namedroppers@ops.ietf.org; Mon, 18 May 2009 09:20:54 -0400 (EDT) (envelope-from namedroppers) Received: from [209.85.219.160] (helo=mail-ew0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M5y6C-0004jY-Jf for namedroppers@ops.ietf.org; Mon, 18 May 2009 08:21:34 +0000 Received: by ewy4 with SMTP id 4so3836552ewy.41 for ; Mon, 18 May 2009 01:21:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=W/uOpVDzXIE/YvXryUM3jxgGBGWDqeCsGHTTzbS7fuY=; b=MJDxXhnUuHMW7k7TwUI2SS2C1sxGlauh0M1A+CU5qMXDjCoxGir/YswbwaytLZHqJA G5IFOT5/WUCzbSRu2XEG0P8zRERwbVe1PEOgWmgrjy4W322RsWk6Dh95uf2OfESjTOQL fLbniQU+Nu9jrhRioIcIVhwm+GtOPuRB3NE/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=C4gqR1ph0i4EkklTqeR2jKmIzy/ddhFpl235WB52p1jAvCFWxbd2aCpFywRDnOlPHq AMqtxRGPlZEl0ga9xJ6EBKgCDMstwzjDhl9QlxciSP6dkGp4z+poQRCdsQqogb1tYKbZ u9Xr372H4uvyvzfFnBnG11HPOTy5sNDT5UOWg= MIME-Version: 1.0 Received: by 10.210.35.5 with SMTP id i5mr7277654ebi.92.1242634887110; Mon, 18 May 2009 01:21:27 -0700 (PDT) In-Reply-To: <20090518075826.GA936@nic.fr> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> From: bert hubert Date: Mon, 18 May 2009 10:21:07 +0200 X-Google-Sender-Auth: 9f476b3e007e3c4f Message-ID: <3efd34cc0905180121j6f2a44fg412b84739f7364f9@mail.gmail.com> Subject: Re: [dnsext] Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING To: Stephane Bortzmeyer Cc: namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 9:58 AM, Stephane Bortzmeyer wrote: > So, I really believe that the message you mention was wrong. EDNS-PING > can have its option code through an individual Informational > RFC. (There are, after all, 65535 possible option codes.) I think I recall IANA stating there was some confusion. In general the point is moot since both EDNS option code 4 and 5 are in actual & somewhat wide use and I guess no-one would want to use these option codes anymore since they are 'polluted'. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 06:31:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06C383A68FC; Mon, 18 May 2009 06:31:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.393 X-Spam-Level: X-Spam-Status: No, score=-0.393 tagged_above=-999 required=5 tests=[AWL=-0.793, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odQOoL4N2Iql; Mon, 18 May 2009 06:31:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 84C533A6B6A; Mon, 18 May 2009 06:30:51 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M62tH-000K7a-I3 for namedroppers-data0@psg.com; Mon, 18 May 2009 13:28:27 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M62t4-000K4Q-6Y for namedroppers@ops.ietf.org; Mon, 18 May 2009 13:28:20 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id C2FAB2FE962D for ; Mon, 18 May 2009 13:28:12 +0000 (UTC) Date: Mon, 18 May 2009 09:28:11 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE Message-ID: <20090518132811.GD4057@shinkuro.com> References: <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> <20090518092557.GB23462@vacation.karoshi.com.> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090518092557.GB23462@vacation.karoshi.com.> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [no hat] On Mon, May 18, 2009 at 09:25:57AM +0000, bmanning@vacation.karoshi.com wrote: > s/ISC/Dominat DNS implementors/ i.e. those with running code? A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 06:45:42 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EC663A6F60; Mon, 18 May 2009 06:45:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.557 X-Spam-Level: X-Spam-Status: No, score=-102.557 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHxzkDF-fDhE; Mon, 18 May 2009 06:45:41 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 483D73A6BA0; Mon, 18 May 2009 06:45:41 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6376-000N0F-4P for namedroppers-data0@psg.com; Mon, 18 May 2009 13:42:44 +0000 Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M636o-000MvG-BZ for namedroppers@ops.ietf.org; Mon, 18 May 2009 13:42:35 +0000 Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n4IDgNIf066586 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 18 May 2009 15:42:24 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl) Message-ID: <4A1165BF.8000605@nlnetlabs.nl> Date: Mon, 18 May 2009 15:42:23 +0200 From: "W.C.A. Wijngaards" User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: "namedroppers@ops.ietf.org" Subject: [dnsext] DNAME update draft UD bit X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 18 May 2009 15:42:24 +0200 (CEST) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi WG, The DNAME update draft contains a new feature: the UD bit. This bit is used by a resolver to signal the authority server that CNAME synthesis is not necessary. It can be used to provide a lighter load for hosting DNAME records. Initially this feature was incorporated, more than a year ago I believe, with lukewarm support (but not opposition) from the working group. It was believed that for IDN purposes DNAMEs might be used in the root, and less load on the critical servers is a good thing. I wonder if there is still any reason to add a UD bit? Against the UD bit are: the fact it takes on of the precious 16 EDNS0 flags. Also cname synthesis support will be necessary anyway for legacy resolvers. And my personal adverse feeling towards more complexity, signaling and negotiation to the DNS when it is not necessary. Can we take away the UD bit? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkoRZb8ACgkQkDLqNwOhpPgjDACfd5I92uP8ZRSOEAeyyuJlkMV5 +n0Aliyfc0+Wv54Z7Mt2ZEt3c5KOdsQ= =Fv8l -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 06:49:24 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7018E28C2D1; Mon, 18 May 2009 06:49:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.698 X-Spam-Level: X-Spam-Status: No, score=-4.698 tagged_above=-999 required=5 tests=[AWL=-0.203, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sR4tYhHuAuCz; Mon, 18 May 2009 06:49:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A45E03A6768; Mon, 18 May 2009 06:49:23 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63B1-000NgN-32 for namedroppers-data0@psg.com; Mon, 18 May 2009 13:46:47 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63Ak-000Ncq-H9 for namedroppers@ops.ietf.org; Mon, 18 May 2009 13:46:40 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4IDjP3s025900; Mon, 18 May 2009 13:45:25 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4IDjPgI025899; Mon, 18 May 2009 13:45:25 GMT Date: Mon, 18 May 2009 13:45:25 +0000 From: bmanning@vacation.karoshi.com To: Andrew Sullivan Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE Message-ID: <20090518134525.GA25815@vacation.karoshi.com.> References: <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> <20090518092557.GB23462@vacation.karoshi.com.> <20090518132811.GD4057@shinkuro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090518132811.GD4057@shinkuro.com> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 09:28:11AM -0400, Andrew Sullivan wrote: > [no hat] > > On Mon, May 18, 2009 at 09:25:57AM +0000, bmanning@vacation.karoshi.com wrote: > > > s/ISC/Dominat DNS implementors/ > > i.e. those with running code? one assumes that they achieve thier dominat position based on use of running code - instead of being dominat in other traits, YMMV... :) --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 06:52:43 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 96FB228C2E3; Mon, 18 May 2009 06:52:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.372 X-Spam-Level: X-Spam-Status: No, score=-0.372 tagged_above=-999 required=5 tests=[AWL=-0.772, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5g6+tQ3mFGAR; Mon, 18 May 2009 06:52:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 958293A6AF0; Mon, 18 May 2009 06:52:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63DW-000OBW-3O for namedroppers-data0@psg.com; Mon, 18 May 2009 13:49:22 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63DJ-000O8P-Qn for namedroppers@ops.ietf.org; Mon, 18 May 2009 13:49:15 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id E6C222FE9582; Mon, 18 May 2009 13:49:07 +0000 (UTC) Date: Mon, 18 May 2009 09:49:06 -0400 From: Andrew Sullivan To: Stephane Bortzmeyer Cc: namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Subject: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Message-ID: <20090518134906.GE4057@shinkuro.com> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090518075826.GA936@nic.fr> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Stephane (and Bert), On Mon, May 18, 2009 at 09:58:26AM +0200, Stephane Bortzmeyer wrote: > bert hubert wrote > > I have also been pointedly informed [3] that EDNS-PING, which > > requires an EDNS option code, can't succeed as an individual draft > > either since only the DNSEXT WG can authorize the issue of such an > > EDNS option code from IANA. > > > [3] > > http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00676.html > > Yes, this is what is written in the message you mention but I am not > convinced. > > RCF 2671 says: > > any published RFC (including Informational, Experimental, or BCP) > should be grounds for allocation of an EDNS Option Code. Since I was the one who drafted [3], I need to clarify it. Sorry that the reasoning wasn't clear. The simple fact is that and EDNS0 Option Code requires publication of an RFC. The draft for that RFC is going to require an IANA section, and that IANA section will request the assignment of the option code. Moreover, the publication will require IETF consensus. These are all just process rules. Now, one of two things are possible in the case the work does not come out of the DNSEXT WG. Either the sponsoring AD will send the work here for review anyway, or else the sponsoring AD won't. In the former case, the work is back here, so we might as well come to some conclusion before it goes to the IESG. In the latter case, the discussion moves to the IETF, where exactly the same debates that might otherwise happen here are instead hashed out on the general community list. At some point, someone on the IETF list will (correctly IMHO) ask why, if the DNS people don't agree about this yet, why the work isn't being discussed on the mailing list explicitly devoted to working on the DNS protocol. So, even though there is a _de jure_ way that the work need not proceed through the working group, as a matter of practice this WG is going to end up involved somehow in any EDNS0 Option Code assignment that is the slightest bit controversial. If anyone thinks this is completely mistaken, however, I'd be interested to hear the argument. (The argument would, I think, be a fairly knock-down proof that the WG could be wound up more or less immediately.) Best regards, Andrew -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 07:09:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EBB73A6D6D; Mon, 18 May 2009 07:09:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.406 X-Spam-Level: X-Spam-Status: No, score=-2.406 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIzdAHSKDCqY; Mon, 18 May 2009 07:09:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 537AF3A6824; Mon, 18 May 2009 07:09:14 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63T7-0001K7-5M for namedroppers-data0@psg.com; Mon, 18 May 2009 14:05:29 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63Sn-0001FT-Bm for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:05:20 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4IE524E078669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 May 2009 07:05:03 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <82eiumh8md.fsf@mid.bfk.de> References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> Date: Mon, 18 May 2009 07:05:02 -0700 To: Florian Weimer , namedroppers@ops.ietf.org From: Paul Hoffman Subject: Re: [dnsext] Increasing hash collision resilience Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 2:56 PM +0200 5/18/09, Florian Weimer wrote: >Right now, this is rather theoretical because a sufficiently potent >attack for SHA-1 has not been published. Correct. In fact, not a single actual collision for SHA-1 has been published. >However, it is widely >believed that such attacks are just around the corner. Could you point to some references on that? I have not heard anyone in the crypto community saying that. Of course, it depends on what you mean by "just around the corner". I do *not* support the use of randomized hashing for DNSSEC; the use of already-defined better hash algorithms (SHA-256) is a much better option. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 07:09:52 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C815D28C2CE; Mon, 18 May 2009 07:09:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.366 X-Spam-Level: X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5t4VK-FvPC3R; Mon, 18 May 2009 07:09:52 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C543F28C29E; Mon, 18 May 2009 07:09:51 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63Tp-0001Uy-VU for namedroppers-data0@psg.com; Mon, 18 May 2009 14:06:13 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63TX-0001Pf-9y for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:06:03 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id C694CA2696; Mon, 18 May 2009 14:05:49 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "Aki Tuomi" cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE In-Reply-To: Your message of "Mon, 18 May 2009 11:40:23 +0300." <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 18 May 2009 14:05:49 +0000 Message-ID: <99449.1242655549@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Mon, 18 May 2009 11:40:23 +0300 > From: "Aki Tuomi" > ... > I have a bad feeling that the correct answer (although they won't admit > it) is that ISC is the one who decides. After all, their proponents seem > to get the "final say" on how things are done. frequent simultaneity does not necessarily require causality. ISC has hired the best people we could get, and we will continue to do so. (CVs to me plz) those people, due to their long experience, tend to have a lot to say which is often intelligent and rational. if you see ISC people winning arguments or leading consensus, that may be because of our selection criteria for employees, and not because of ISC's brand strength or BIND's market size. once in a while we do stuff that's controversial and we do it outside IETF. for example, delegation only, and DNSSEC lookaside validation (DLV). these features are never enabled by default in our code base since they are not part of the IETF DNS standard, to which we adhere strongly. note that some of the stuff IETF has come up with (DNSSEC, EDNS) has also been controversial in the eyes of our user/customer base, but we default it to "on" when we can do it without breaking existing configurations. where we encounter problems in the field like open recursion, we try to work with the IETF DNSEXT WG to get a draft RFC written, specifically so that we can change the default BIND configuration. (for open recursion, we wanted to default to allowing queries only from the locally attached networks, and the result was RFC 5358, and the BIND version that changed this default did in fact break some working configurations, but it was absolutely unavoidable.) a few years back when i saw this WG as moribund i tried to start a separate entity called DNS-MODA that would push for new DNS technology and standards, and for a while we (ISC, WIDE, Autonomica) thought we might get that going. in the end we found a lack of institutional interest (that is, sponsorship and active participation) in anything more ambitious than this working group, so we shut DNS-MODA down. i'm still interested in something like that, btw. so to the extent possible, ISC works within the IETF standards process, and we are bound by tradition to implement whatever DNS standards come from this working group. and we have some of the best DNS technologists in the field, which is the reason you so often see ISC people getting consensus on stuff. (getting consensus inside ISC is often a much rougher process than the debates and discussions you can see on namedroppers@, btw.) note that this nonadmission of decisionmaking powers by ISC also contains an alternative explaination for the appearance thereof. paul vixie president isc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 07:10:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A20328C227; Mon, 18 May 2009 07:10:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.375 X-Spam-Level: X-Spam-Status: No, score=-2.375 tagged_above=-999 required=5 tests=[AWL=0.224, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5mb3DJU5bkO; Mon, 18 May 2009 07:10:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8B6DF28C124; Mon, 18 May 2009 07:10:21 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63WH-000266-Tq for namedroppers-data0@psg.com; Mon, 18 May 2009 14:08:45 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63W5-00023l-47 for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:08:39 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 7560FA267A; Mon, 18 May 2009 14:08:32 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "W.C.A. Wijngaards" cc: "namedroppers@ops.ietf.org" Subject: Re: [dnsext] DNAME update draft UD bit In-Reply-To: Your message of "Mon, 18 May 2009 15:42:23 +0200." <4A1165BF.8000605@nlnetlabs.nl> References: <4A1165BF.8000605@nlnetlabs.nl> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 18 May 2009 14:08:32 +0000 Message-ID: <99568.1242655712@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Mon, 18 May 2009 15:42:23 +0200 > From: "W.C.A. Wijngaards" > ... > Against the UD bit are: the fact it takes on of the precious 16 EDNS0 > flags. Also cname synthesis support will be necessary anyway for legacy > resolvers. And my personal adverse feeling towards more complexity, > signaling and negotiation to the DNS when it is not necessary. Can we > take away the UD bit? +1. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 07:16:40 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 61B5828C2E0; Mon, 18 May 2009 07:16:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.352 X-Spam-Level: X-Spam-Status: No, score=-0.352 tagged_above=-999 required=5 tests=[AWL=-0.752, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZHX4O-MM0pE; Mon, 18 May 2009 07:16:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DF5BA3A704E; Mon, 18 May 2009 07:16:37 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63bK-0003Kw-JV for namedroppers-data0@psg.com; Mon, 18 May 2009 14:13:58 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63b1-0003BR-0K for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:13:44 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id B484F2FE9582 for ; Mon, 18 May 2009 14:13:22 +0000 (UTC) Date: Mon, 18 May 2009 10:13:21 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNAME update draft UD bit Message-ID: <20090518141320.GG4057@shinkuro.com> References: <4A1165BF.8000605@nlnetlabs.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A1165BF.8000605@nlnetlabs.nl> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 03:42:23PM +0200, W.C.A. Wijngaards wrote: > with lukewarm support (but not opposition) from the working group. It > was believed that for IDN purposes DNAMEs might be used in the root, and > less load on the critical servers is a good thing. I wonder if there is > still any reason to add a UD bit? IDNA2008 (which is what the new version of the protocol is called), unless it is modified considerably for how it stands right now, removes most of the mapping from the older IDNA version (called IDNA2003). This means that things that were valid in IDNA2003 may or may not be valid under a registry's (i.e. zone operator's) policies in IDNA2008; and things that were _not_ valid in IDNA2003 may be valid under the operator's policies in IDNA2008. The IDNAbis WG's charger prohibits it from changing the IDNA prefix (xn--) used on ACE names; while such a prefix change would seem to be obvious when adopting a strictly-incompatible change such as IDNA2008, for various other reasons the people working on this problem thought that would be a bad idea. Given that there will be a period where clients using both protocols will be deployed, there will be some need to provide compatibility mappings between the two IDNA versions for some period of time (possibly infinitely long). In the absence of ENAME (equivalent-name, in which a given set of labels is just "swapped out" for an "equivalent", wherever the former shows up), DNAME seems to be the best candidate. Even if no root label ends up needing DNAMEs for this purpose, it is all but certain that TLDs will need it. I don't know whether that means we need the UD bit, but I thought this would be important background to have when making the decision. A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 07:28:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 162EC3A6C99; Mon, 18 May 2009 07:28:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.877 X-Spam-Level: X-Spam-Status: No, score=-0.877 tagged_above=-999 required=5 tests=[AWL=-0.382, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W7yq+usAOWBy; Mon, 18 May 2009 07:28:13 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 11BD428C2EE; Mon, 18 May 2009 07:28:12 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63nB-00050K-U3 for namedroppers-data0@psg.com; Mon, 18 May 2009 14:26:13 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M63mx-0004x3-T2 for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:26:06 +0000 Received: from [10.31.200.157] (mail.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4IEPfQ4026422; Mon, 18 May 2009 10:25:41 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Mon, 18 May 2009 10:24:40 -0400 To: "namedroppers@ops.ietf.org" From: Edward Lewis Subject: Adoption criteria, was Re: [dnsext] DNSCURVE Cc: ed.lewis@neustar.biz Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:32 -0700 5/16/09, Matthew Dempsky wrote: >No DNSCurve developer is concerned yet with this WG adopting it, so if >you're genuinely interested in discussing DNSCurve, you'll have to >rely on the dnscurve.org web site for details for now. I think (as in not really sure, but I think) that for something to be considered "by the IETF" there are IPR considerations. When an Internet Draft is submitted, the process includes the submitter to agree to the Note Well statement. If we discuss stuff that hasn't cleared that hurdle, there could be trouble. (Like, "hey let's look at some proprietary software's documentation for ideas...") At 18:11 -0700 5/16/09, Paul Hoffman wrote: >I can't speak for others, but then I think the correct answer from the WG >is "thanks but no thanks". Not having a stable reference is a pretty heavy >impediment, particularly when the DNS-specific parts change. If a "DNSCurve >developer" wants to spend the hour or two it takes to convert the disparate >stuff from the web site into an Internet Draft, that would be lovely. I wouldn't say we need stable reference. That is a bar too high. By that standard, we would never do anything but rubber stamp proposals. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 07:47:38 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B914A28C30C; Mon, 18 May 2009 07:47:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.796 X-Spam-Level: X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5 tests=[AWL=-0.248, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, MIME_ASCII0=1.5, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id svV4c53pLiHx; Mon, 18 May 2009 07:47:37 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B75E228C31B; Mon, 18 May 2009 07:45:43 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M643I-0006vo-9E for namedroppers-data0@psg.com; Mon, 18 May 2009 14:42:52 +0000 Received: from [194.100.2.124] (helo=smtp1.tdc.fi) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M642t-0006sH-SZ for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:42:43 +0000 Received: from fi-hel2ex01.nordiclan.net (unknown [194.100.219.27]) by smtp1.tdc.fi (Postfix) with ESMTP id DC7A358193F for ; Mon, 18 May 2009 17:42:26 +0300 (EEST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Subject: RE: [dnsext] Increasing hash collision resilience Date: Mon, 18 May 2009 17:32:43 +0300 Message-ID: <86048CA3B4B17E459FFD4F3F383AD88F13F27BF9@fi-hel2ex01.nordiclan.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [dnsext] Increasing hash collision resilience Thread-Index: AcnXxSaAzaEk+f9LTeuvJ3upKrjGhAAADa0A References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> From: "Aki Tuomi" To: Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBvd25lci1uYW1lZHJvcHBlcnNA b3BzLmlldGYub3JnIFttYWlsdG86b3duZXItDQo+IG5hbWVkcm9wcGVyc0BvcHMuaWV0Zi5vcmdd IE9uIEJlaGFsZiBPZiBQYXVsIEhvZmZtYW4NCj4gU2VudDogTW9uZGF5LCBNYXkgMTgsIDIwMDkg NTowNSBQTQ0KPiBUbzogRmxvcmlhbiBXZWltZXI7IG5hbWVkcm9wcGVyc0BvcHMuaWV0Zi5vcmcN Cj4gU3ViamVjdDogUmU6IFtkbnNleHRdIEluY3JlYXNpbmcgaGFzaCBjb2xsaXNpb24gcmVzaWxp ZW5jZQ0KPiANCj4gQXQgMjo1NiBQTSArMDIwMCA1LzE4LzA5LCBGbG9yaWFuIFdlaW1lciB3cm90 ZToNCj4gPlJpZ2h0IG5vdywgdGhpcyBpcyByYXRoZXIgdGhlb3JldGljYWwgYmVjYXVzZSBhIHN1 ZmZpY2llbnRseSBwb3RlbnQNCj4gPmF0dGFjayBmb3IgU0hBLTEgaGFzIG5vdCBiZWVuIHB1Ymxp c2hlZC4NCj4gDQo+IENvcnJlY3QuIEluIGZhY3QsIG5vdCBhIHNpbmdsZSBhY3R1YWwgY29sbGlz aW9uIGZvciBTSEEtMSBoYXMgYmVlbg0KPiBwdWJsaXNoZWQuDQo+IA0KPiA+SG93ZXZlciwgaXQg aXMgd2lkZWx5DQo+ID5iZWxpZXZlZCB0aGF0IHN1Y2ggYXR0YWNrcyBhcmUganVzdCBhcm91bmQg dGhlIGNvcm5lci4NCj4gDQo+IENvdWxkIHlvdSBwb2ludCB0byBzb21lIHJlZmVyZW5jZXMgb24g dGhhdD8gSSBoYXZlIG5vdCBoZWFyZCBhbnlvbmUgaW4NCj4gdGhlIGNyeXB0byBjb21tdW5pdHkg c2F5aW5nIHRoYXQuIE9mIGNvdXJzZSwgaXQgZGVwZW5kcyBvbiB3aGF0IHlvdQ0KPiBtZWFuIGJ5 ICJqdXN0IGFyb3VuZCB0aGUgY29ybmVyIi4NCj4gDQo+IEkgZG8gKm5vdCogc3VwcG9ydCB0aGUg dXNlIG9mIHJhbmRvbWl6ZWQgaGFzaGluZyBmb3IgRE5TU0VDOyB0aGUgdXNlIG9mDQo+IGFscmVh ZHktZGVmaW5lZCBiZXR0ZXIgaGFzaCBhbGdvcml0aG1zIChTSEEtMjU2KSBpcyBhIG11Y2ggYmV0 dGVyDQo+IG9wdGlvbi4NCj4gDQo+IC0tUGF1bCBIb2ZmbWFuLCBEaXJlY3Rvcg0KPiAtLVZQTiBD b25zb3J0aXVtDQo+IA0KDQpJIHdvbmRlciBpZiB1c2Ugb2YgU0hBLTI1NiB3aWxsIG9ubHkgcG9z dHBvbmUgdGhlIHByb2JsZW0sIHVubGVzcyB0aGUgDQphbGdvcml0aG0gaXMgc3VmZmljaWVudGx5 IGRpZmZlcmVudC4NCg0KLS0tDQpBa2kgVHVvbWkNClREQyBPeQ0KDQoNCj4gLS0NCj4gdG8gdW5z dWJzY3JpYmUgc2VuZCBhIG1lc3NhZ2UgdG8gbmFtZWRyb3BwZXJzLXJlcXVlc3RAb3BzLmlldGYu b3JnIHdpdGgNCj4gdGhlIHdvcmQgJ3Vuc3Vic2NyaWJlJyBpbiBhIHNpbmdsZSBsaW5lIGFzIHRo ZSBtZXNzYWdlIHRleHQgYm9keS4NCj4gYXJjaGl2ZTogPGh0dHA6Ly9vcHMuaWV0Zi5vcmcvbGlz dHMvbmFtZWRyb3BwZXJzLz4NCg== -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 07:52:26 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECCC83A6B97; Mon, 18 May 2009 07:52:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.407 X-Spam-Level: X-Spam-Status: No, score=-2.407 tagged_above=-999 required=5 tests=[AWL=0.192, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSQRihVRURAk; Mon, 18 May 2009 07:52:26 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1518F3A6AFA; Mon, 18 May 2009 07:52:26 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M649v-0007pj-FJ for namedroppers-data0@psg.com; Mon, 18 May 2009 14:49:43 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M649h-0007nX-2j for namedroppers@ops.ietf.org; Mon, 18 May 2009 14:49:36 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4IEnPoX082498 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 May 2009 07:49:25 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> Date: Mon, 18 May 2009 07:49:23 -0700 To: Edward Lewis , "namedroppers@ops.ietf.org" From: Paul Hoffman Subject: Re: Adoption criteria, was Re: [dnsext] DNSCURVE Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 10:24 AM -0400 5/18/09, Edward Lewis wrote: >At 18:11 -0700 5/16/09, Paul Hoffman wrote: > >>I can't speak for others, but then I think the correct answer from the WG >>is "thanks but no thanks". Not having a stable reference is a pretty heavy >>impediment, particularly when the DNS-specific parts change. If a "DNSCurve >>developer" wants to spend the hour or two it takes to convert the disparate >>stuff from the web site into an Internet Draft, that would be lovely. > >I wouldn't say we need stable reference. That is a bar too high. By that standard, we would never do anything but rubber stamp proposals. Sorry, I overstated the requirement. We need a stable *document* of the current state of the proposal. I think we all agree to that. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 08:09:03 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B02FB3A6A35; Mon, 18 May 2009 08:09:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.042 X-Spam-Level: X-Spam-Status: No, score=-1.042 tagged_above=-999 required=5 tests=[AWL=-0.847, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MT0QjDVTkhmL; Mon, 18 May 2009 08:09:02 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7D3B83A6806; Mon, 18 May 2009 08:09:01 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64Ps-000BAf-2Z for namedroppers-data0@psg.com; Mon, 18 May 2009 15:06:12 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64Pb-000B24-PH for namedroppers@ops.ietf.org; Mon, 18 May 2009 15:06:05 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4IF5aMq026853; Mon, 18 May 2009 11:05:37 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905181505.n4IF5aMq026853@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 18 May 2009 10:56:53 -0400 To: Stephane Bortzmeyer , namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: Re: [dnsext] Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING In-Reply-To: <20090518075826.GA936@nic.fr> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 03:58 18/05/2009, Stephane Bortzmeyer wrote: >On Sat, May 16, 2009 at 12:02:57AM +0200, > bert hubert wrote > a message of 65 lines which said: > > > I have also been pointedly informed [3] that EDNS-PING, which > > requires an EDNS option code, can't succeed as an individual draft > > either since only the DNSEXT WG can authorize the issue of such an > > EDNS option code from IANA. > > > [3] > > http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00676.html > >Yes, this is what is written in the message you mention but I am not >convinced. > >RCF 2671 says: > > any published RFC (including Informational, Experimental, or BCP) > should be grounds for allocation of an EDNS Option Code. > >And the IANA registry >says: > >Registry Name: DNS EDNS0 Options >Reference: [RFC5001] >Registration Procedures: Specification required > >And "Specification required" is defined in RFC 5226 as not even >requesting a RFC. > >So, I really believe that the message you mention was wrong. EDNS-PING >can have its option code through an individual Informational >RFC. (There are, after all, 65535 possible option codes.) > The registry is wrong, and that is partially my fault. The registry was specified by RFC2671 but NOT created by IANA as the WG and IESG let this document advance without IANA consideration section saying IANA needed to create a registry. RFC2671 says "Published RFC" as allocation mechanism for EDNS0 options (see last paragraph in section 7). Any individual RFC will be send to DNSEXT for comment by the IESG, thus no end run is possible. RFC5001 was the first RFC to register an option thus its publication forced the issue to create the registry. I'm hoping that the WG will turn its attention to work on RFC2671-bis and in that context figure out what the right rule is and specify it. Olafur Olafur RFC5001 was the first RFC to -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 08:18:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B5E53A6DB1; Mon, 18 May 2009 08:18:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.872 X-Spam-Level: X-Spam-Status: No, score=-0.872 tagged_above=-999 required=5 tests=[AWL=-0.377, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQwGkrW8tLvF; Mon, 18 May 2009 08:18:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 372FB28C2DF; Mon, 18 May 2009 08:18:13 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64Zc-000CmW-VY for namedroppers-data0@psg.com; Mon, 18 May 2009 15:16:16 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64ZN-000CjF-7I for namedroppers@ops.ietf.org; Mon, 18 May 2009 15:16:10 +0000 Received: from [10.31.200.157] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4IFFgD5026991; Mon, 18 May 2009 11:15:42 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: <86048CA3B4B17E459FFD4F3F383AD88F13F27BF9@fi-hel2ex01.nordiclan.net> References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF9@fi-hel2ex01.nordiclan.net> Date: Mon, 18 May 2009 11:09:29 -0400 To: "Aki Tuomi" From: Edward Lewis Subject: RE: [dnsext] Increasing hash collision resilience Cc: Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 17:32 +0300 5/18/09, Aki Tuomi wrote: >I wonder if use of SHA-256 will only postpone the problem, unless the >algorithm is sufficiently different. All that cryptography ever does is "postpone the problem" - hopefully long enough that a successful attack no longer matters. ;) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 08:34:23 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 71F053A6D99; Mon, 18 May 2009 08:34:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.71 X-Spam-Level: * X-Spam-Status: No, score=1.71 tagged_above=-999 required=5 tests=[AWL=-0.937, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_RU=0.595, HELO_MISMATCH_RU=3.1, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LbMtSs1eef8i; Mon, 18 May 2009 08:34:22 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AABAE3A6A8E; Mon, 18 May 2009 08:34:22 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64ne-000El1-Rd for namedroppers-data0@psg.com; Mon, 18 May 2009 15:30:46 +0000 Received: from [87.245.158.60] (helo=mx.cryptocom.ru) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64nR-000EgL-VQ for namedroppers@ops.ietf.org; Mon, 18 May 2009 15:30:39 +0000 Received: from localhost (localhost [127.0.0.1]) by mx.cryptocom.ru (Postfix) with ESMTP id 31A6F3EC10; Mon, 18 May 2009 19:30:17 +0400 (MSD) X-Virus-Scanned: Debian amavisd-new at cryptocom.ru Received: from mx.cryptocom.ru ([127.0.0.1]) by localhost (mx.cryptocom.ru [127.0.0.1]) (amavisd-new, port 10024) with LMTP id KLsswsUYW3M8; Mon, 18 May 2009 19:30:17 +0400 (MSD) Received: from [10.51.22.241] (reedcat.lan.cryptocom.ru [10.51.22.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.cryptocom.ru (Postfix) with ESMTP id BB3C53EC05; Mon, 18 May 2009 19:30:16 +0400 (MSD) Message-ID: <4A117F08.5000706@cryptocom.ru> Date: Mon, 18 May 2009 19:30:16 +0400 From: Basil Dolmatov User-Agent: Thunderbird 2.0.0.21 (X11/20090409) MIME-Version: 1.0 To: Stephane Bortzmeyer CC: Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> In-Reply-To: <20090518081713.GD936@nic.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Stephane Bortzmeyer пишет: > > Which leads to a question (which is not only related to DNScurve but > also to the EDNS-PING or cookies assassinations): what body is in > charge of the DNS security? Mine, for instance dol@ -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 08:34:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA46A28C2AD; Mon, 18 May 2009 08:34:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.408 X-Spam-Level: X-Spam-Status: No, score=-2.408 tagged_above=-999 required=5 tests=[AWL=0.191, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciFaLcTcEJXZ; Mon, 18 May 2009 08:34:54 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D1BCD28C259; Mon, 18 May 2009 08:34:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64ps-000F2S-H4 for namedroppers-data0@psg.com; Mon, 18 May 2009 15:33:04 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64pX-000F0Z-Te for namedroppers@ops.ietf.org; Mon, 18 May 2009 15:32:54 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4IFWepY087064 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 May 2009 08:32:41 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <86048CA3B4B17E459FFD4F3F383AD88F13F27BF9@fi-hel2ex01.nordiclan.net> References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF9@fi-hel2ex01.nordiclan.net> Date: Mon, 18 May 2009 08:32:39 -0700 To: "Aki Tuomi" , From: Paul Hoffman Subject: RE: [dnsext] Increasing hash collision resilience Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 5:32 PM +0300 5/18/09, Aki Tuomi wrote: >I wonder if use of SHA-256 will only postpone the problem, unless the >algorithm is sufficiently different. For some value of "postpone", yes. However, watching the research on MD5 and SHA-1, it appears that the length of the hash output has a *huge* effect on finding differential paths, much less finding useful ones. The argument for randomized hashing is that you don't need to worry about reductions in collision resistance. Two arguments against randomized hashing are that it relies on the unpredictability of the salt added and it adds one more place for interoperability to fail. That is, we are weighing a cryptographic principle against operational issues. I strongly tend towards having as few operational requirements as possible. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 08:44:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8128E3A7049; Mon, 18 May 2009 08:44:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.437 X-Spam-Level: X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pn+naLnXj4KS; Mon, 18 May 2009 08:44:29 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3DA0A3A7047; Mon, 18 May 2009 08:44:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64zL-000GF0-1b for namedroppers-data0@psg.com; Mon, 18 May 2009 15:42:51 +0000 Received: from [65.99.1.130] (helo=abenaki.wabanaki.net) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M64z0-000GB4-Cp for namedroppers@ops.ietf.org; Mon, 18 May 2009 15:42:43 +0000 Received: from limpet.local (c-75-73-69-143.hsd1.mn.comcast.net [75.73.69.143]) by abenaki.wabanaki.net (8.14.2/8.14.2) with ESMTP id n4IEqxPc037193; Mon, 18 May 2009 10:52:59 -0400 (EDT) (envelope-from ebw@abenaki.wabanaki.net) Message-ID: <4A1181CC.9060708@abenaki.wabanaki.net> Date: Mon, 18 May 2009 10:42:04 -0500 From: Eric Brunner-Williams User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Andrew Sullivan CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNAME update draft UD bit References: <4A1165BF.8000605@nlnetlabs.nl> <20090518141320.GG4057@shinkuro.com> In-Reply-To: <20090518141320.GG4057@shinkuro.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Even if no root label ends up needing DNAMEs for this purpose, it is > all but certain that TLDs will need it. > I think it is reasonable to assume that the use case for ENAME (or DNAME) extends to one or more elements of the anticipated set which may be added to the root within the next several years. Eric -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:02:43 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D01B328C2EC; Mon, 18 May 2009 09:02:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.352 X-Spam-Level: X-Spam-Status: No, score=-0.352 tagged_above=-999 required=5 tests=[AWL=-0.752, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mDbCANwQtkde; Mon, 18 May 2009 09:02:42 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 62B3D28C2FC; Mon, 18 May 2009 09:01:15 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65EO-000JDR-Ez for namedroppers-data0@psg.com; Mon, 18 May 2009 15:58:24 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65ED-000JAN-0V for namedroppers@ops.ietf.org; Mon, 18 May 2009 15:58:18 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id E4F9B2FE9582 for ; Mon, 18 May 2009 15:57:56 +0000 (UTC) Date: Mon, 18 May 2009 11:57:55 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNAME update draft UD bit Message-ID: <20090518155755.GN4057@shinkuro.com> References: <4A1165BF.8000605@nlnetlabs.nl> <20090518141320.GG4057@shinkuro.com> <4A1181CC.9060708@abenaki.wabanaki.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A1181CC.9060708@abenaki.wabanaki.net> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [no hat] On Mon, May 18, 2009 at 10:42:04AM -0500, Eric Brunner-Williams wrote: > I think it is reasonable to assume that the use case for ENAME (or > DNAME) extends to one or more elements of the anticipated set which may > be added to the root within the next several years. Well, let's be careful. I made up ENAME out of whole cloth (because there's some magical behaviour in it that currently conforms to what people seem to want). So if something is needed, it's going to be DNAME or nothing. (Besides, even if we knew how to invent ENAME so that the magic result was in fact achievable -- and I'm of little brain, so it won't be me who can do this -- it'd be a long time before we were in a position to recommend it for use at the root.) The right answer to Wouter's question, therefore, is whether the additional complexity is worth the gains from UD. A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:05:11 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07F023A6C60; Mon, 18 May 2009 09:05:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.266 X-Spam-Level: X-Spam-Status: No, score=-5.266 tagged_above=-999 required=5 tests=[AWL=-0.218, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4361wr90uch4; Mon, 18 May 2009 09:05:04 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E65663A69FC; Mon, 18 May 2009 09:05:03 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65Iz-000Jxc-LI for namedroppers-data0@psg.com; Mon, 18 May 2009 16:03:09 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65Ib-000JrP-Ot for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:03:03 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4IG2ie3012257; Mon, 18 May 2009 09:02:44 -0700 (PDT) Cc: Nicholas Weaver , "Aki Tuomi" , Message-Id: From: Nicholas Weaver To: Paul Hoffman In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Increasing hash collision resilience Date: Mon, 18 May 2009 09:02:44 -0700 References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF9@fi-hel2ex01.nordiclan.net> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Remember: The ideal use of cryptography is about postponing the problem until the opponent is able to either build a quantum computer or has a few cubic parsecs of sci-fi nanotech. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:22:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE81A3A6C90; Mon, 18 May 2009 09:22:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.227 X-Spam-Level: X-Spam-Status: No, score=0.227 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWlBW7SGH92R; Mon, 18 May 2009 09:22:33 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0113B3A6B56; Mon, 18 May 2009 09:22:33 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65YU-000MHY-GV for namedroppers-data0@psg.com; Mon, 18 May 2009 16:19:10 +0000 Received: from [74.125.44.30] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65YI-000MFW-DB for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:19:04 +0000 Received: by yx-out-2324.google.com with SMTP id 8so1939973yxm.71 for ; Mon, 18 May 2009 09:18:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.35.9 with SMTP id i9mr5225720agi.11.1242663537614; Mon, 18 May 2009 09:18:57 -0700 (PDT) In-Reply-To: <82iqjyzwjk.fsf@mid.bfk.de> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <82iqjyzwjk.fsf@mid.bfk.de> Date: Mon, 18 May 2009 09:18:57 -0700 Message-ID: Subject: Re: [dnsext] DNSCURVE From: Matthew Dempsky To: Florian Weimer Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 12:42 AM, Florian Weimer wrote: > Why has DNSCURVE a fallback to port 53? =A0Why don't implementations > switch to a different port when they see DNSCURVE support in the NS > record? I believe this decision was made to be backwards compatible with existing firewall rules. If a DNS cache can currently send queries to servers, then it should also be able to immediately start using DNSCurve without any firewall changes. An example use case is running a local DNS cache on an untrusted network where you cannot control the firewall settings. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:24:30 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBEB53A7036; Mon, 18 May 2009 09:24:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.196 X-Spam-Level: * X-Spam-Status: No, score=1.196 tagged_above=-999 required=5 tests=[AWL=-0.424, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6gCFbX5ZE4t; Mon, 18 May 2009 09:24:29 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5BFCA3A6B56; Mon, 18 May 2009 09:24:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65bh-000Mf2-8X for namedroppers-data0@psg.com; Mon, 18 May 2009 16:22:29 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65bU-000McB-Vy for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:22:22 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M65bK-0007EB-IP; Mon, 18 May 2009 18:22:06 +0200 Received: from fweimer by bfk.de with local id 1M65bF-0004kL-PX; Mon, 18 May 2009 18:22:01 +0200 To: Paul Vixie Cc: Shane Kerr , namedroppers Subject: Re: Desperate plea for 0x20, was Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> <82prefq1dz.fsf@mid.bfk.de> <6EA0632B-7889-45D3-A81D-7E6A7406C35D@icsi.berkeley.edu> <82ab5jpyrm.fsf@mid.bfk.de> <34F1DCF9-6958-4A6F-9B82-036CC36B4A5F@hopcount.ca> <82preddn6j.fsf@mid.bfk.de> <7032FE1F-3346-43FE-9466-9F796C7E97CE@hopcount.ca> <1242230756.8625.2953.camel@shane-asus-laptop> <4299.1242233068@nsa.vix.com> From: Florian Weimer Date: Mon, 18 May 2009 18:22:01 +0200 In-Reply-To: <4299.1242233068@nsa.vix.com> (Paul Vixie's message of "Wed, 13 May 2009 16:44:28 +0000") Message-ID: <82eiumfkk6.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Paul Vixie: > because dns-0x20 only asks that a interpretation of 1035 be relaxed that > nobody was interpretting the other way anyhow, and only affects recursive > servers who want to deploy it, it's a very low cost proposal. i'm in > favour of adopting it as a WG item independent of anything else we do or > don't do for hop-by-hop or end-to-end security. 0x20 has a hidden cost: If you include 0x20 as a supported feature in a resolver, any phenomen which allows you to spoof under a different QNAME/QTYPE combination is a security vulnerability because it breaks the additional protection offered by 0x20. Both your draft and the paper provide no indication how to deal with this problem, unfortunately. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:24:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B61C3A680F; Mon, 18 May 2009 09:24:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.773 X-Spam-Level: X-Spam-Status: No, score=0.773 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5bM-8ITGQO3; Mon, 18 May 2009 09:24:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6DA8C3A7028; Mon, 18 May 2009 09:24:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65b9-000MbY-6M for namedroppers-data0@psg.com; Mon, 18 May 2009 16:21:55 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65aw-000MWp-HC for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:21:48 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M65ai-0007Ad-Nt; Mon, 18 May 2009 18:21:28 +0200 Received: from fweimer by bfk.de with local id 1M65ad-0004N8-6Z; Mon, 18 May 2009 18:21:23 +0200 To: Matthew Dempsky Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] DNSCURVE References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <82iqjyzwjk.fsf@mid.bfk.de> From: Florian Weimer Date: Mon, 18 May 2009 18:21:23 +0200 In-Reply-To: (Matthew Dempsky's message of "Mon, 18 May 2009 09:18:57 -0700") Message-ID: <82fxf2fkl8.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Matthew Dempsky: > On Mon, May 18, 2009 at 12:42 AM, Florian Weimer wrote: >> Why has DNSCURVE a fallback to port 53? =A0Why don't implementations >> switch to a different port when they see DNSCURVE support in the NS >> record? > > I believe this decision was made to be backwards compatible with > existing firewall rules. If a DNS cache can currently send queries to > servers, then it should also be able to immediately start using > DNSCurve without any firewall changes. The documentation also suggests that a separate IP address is required in some cases, so this particular trade-off is rather dubious, IMHO. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:26:32 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D7BD28C29A; Mon, 18 May 2009 09:26:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.521 X-Spam-Level: X-Spam-Status: No, score=-4.521 tagged_above=-999 required=5 tests=[AWL=0.527, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uz4sXdmYrR+0; Mon, 18 May 2009 09:26:26 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E0EE23A6AA5; Mon, 18 May 2009 09:26:23 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65ds-000N1w-Ek for namedroppers-data0@psg.com; Mon, 18 May 2009 16:24:44 +0000 Received: from [194.100.2.122] (helo=smtp2.tdc.fi) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65dc-000MzN-0i for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:24:33 +0000 Received: from fi-hel2ex01.nordiclan.net (unknown [194.100.219.27]) by smtp2.tdc.fi (Postfix) with ESMTP id 185DF6B26CD; Mon, 18 May 2009 19:24:28 +0300 (EEST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: VS: Re: [dnsext] Increasing hash collision resilience Date: Mon, 18 May 2009 19:21:40 +0300 Message-ID: <86048CA3B4B17E459FFD4F3F383AD88F13F27BFB@fi-hel2ex01.nordiclan.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Re: [dnsext] Increasing hash collision resilience Thread-Index: AcnX1LmY5Mb9n1tITE2sD5Nz/JEgNw== From: "Aki Tuomi" To: Cc: , Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Aihe: Re: [dnsext] Increasing hash collision resilience L=E4hett=E4j=E4: "Nicholas Weaver" P=E4iv=E4m=E4=E4r=E4: 18.05.2009 19:03 Remember: The ideal use of cryptography is about postponing the =20 problem until the opponent is able to either build a quantum computer =20 or has a few cubic parsecs of sci-fi nanotech. I suppose that in first case we shall see use of quantum cryptography as = well. My original point was, though, the time delay won. I fear that = sha-256 won't last long enough... Sorry for the poor choice of wordings = that conveyed wrong message. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:28:31 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BD8E3A68AC; Mon, 18 May 2009 09:28:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.202 X-Spam-Level: X-Spam-Status: No, score=0.202 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1toX34mmvol; Mon, 18 May 2009 09:28:24 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 95F5E28C2BC; Mon, 18 May 2009 09:28:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65fg-000NLV-P7 for namedroppers-data0@psg.com; Mon, 18 May 2009 16:26:36 +0000 Received: from [74.125.46.28] (helo=yw-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65fS-000NIT-58 for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:26:27 +0000 Received: by yw-out-2324.google.com with SMTP id 3so1945636ywj.71 for ; Mon, 18 May 2009 09:26:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.35.9 with SMTP id i9mr4334885agi.64.1242663981399; Mon, 18 May 2009 09:26:21 -0700 (PDT) In-Reply-To: <82fxf2fkl8.fsf@mid.bfk.de> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <82iqjyzwjk.fsf@mid.bfk.de> <82fxf2fkl8.fsf@mid.bfk.de> Date: Mon, 18 May 2009 09:26:21 -0700 Message-ID: Subject: Re: [dnsext] DNSCURVE From: Matthew Dempsky To: Florian Weimer Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 9:21 AM, Florian Weimer wrote: > The documentation also suggests that a separate IP address is required > in some cases, so this particular trade-off is rather dubious, IMHO. No, you can continue using the same IP address if you wanted. I assume you're referring to the nytimes.com example, in which case the reason to setup the DNSCurve forwarder on a new IP address is to be able to test the forwarder without disrupting DNS traffic to the old IP address. If that was not a concern (e.g., if you're using some load balancing to spread traffic across multiple hosts, or you just don't receive enough traffic to worry about a single server being down), then you could install the DNSCurve forwarder in place. (In either case, you'll still have to publish the new NS records, of course.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:44:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7A0C3A6B71; Mon, 18 May 2009 09:44:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.032 X-Spam-Level: X-Spam-Status: No, score=-1.032 tagged_above=-999 required=5 tests=[AWL=-0.837, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3wRIgAe5q2V; Mon, 18 May 2009 09:44:18 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B4C663A685C; Mon, 18 May 2009 09:44:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65vQ-000PqU-Cg for namedroppers-data0@psg.com; Mon, 18 May 2009 16:42:52 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65uz-000Pki-VI for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:42:39 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4IGg5tw027927; Mon, 18 May 2009 12:42:05 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905181642.n4IGg5tw027927@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 18 May 2009 12:41:36 -0400 To: Florian Weimer , namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: Re: [dnsext] Increasing hash collision resilience In-Reply-To: <82eiumh8md.fsf@mid.bfk.de> References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: The concerns that SHA-1 would become vulnerable before new generation of hash algorithms become available was the reason for the WG to rush RFC4509 through. http://www.ietf.org/rfc/rfc4509.txt The message to everyone should be. - Only list DS with digest algorithm =2 - or list both digest algorithm 1 and 2 The problem is that some DS records in many cases will be submitted by children and the children need to be educated to use digest 2. Is it time to change the status of SHA-1 in the registry from "MANDATORY" to "Not recommended" or "Obsolete"? http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml We need an RFC do make that change. Cryptographic security is a race between complexity, ingenuity, computational power and desire, there are no winners only innocent bystanders get inconvenienced. Olafur At 08:56 18/05/2009, Florian Weimer wrote: >* Florian Weimer: > > > Currently, DNSSEC is rather exposed to near-state-of-the-art collision > > attacks when the signature on DS records is computed. > >I've been asked privately how such an attack would be carried out. >The attack sketched below is analogous to the one by Lenstra et al. >on MD5 CAs. > >Suppose that ORG. is signed using DNSSEC, and you want to attack >EXAMPLE.ORG., that is, get a valid signature on a DS RRset for >EXAMPLE.ORG. which contains hashes of keys you control. > >We haven't got a second preimage attack, so we cannot use the original >EXAMPLE.ORG. DS RRset and attack it directly. Instead, we generate >our own key pair, and create two DS RRsets which hash to the same >value. The second RRset is for a domain different from EXAMPLE.ORG. >(the name does not matter, as long as it is available for >registration), and both RRsets are stuffed with additional DS RRs, >ignored by validators, to obtain a collision. We request a signed >delegation for the second domai nname from the .ORG. zone operator, >and thanks to the collision, it is also valid for EXAMPLE.ORG. (It's >probably necessary to register several domains in parallel because >there is some uncertainty in the validity period of the RRSIG record.) > >Right now, this is rather theoretical because a sufficiently potent >attack for SHA-1 has not been published. However, it is widely >believed that such attacks are just around the corner. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:44:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1AD993A6B71; Mon, 18 May 2009 09:44:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.553 X-Spam-Level: X-Spam-Status: No, score=-0.553 tagged_above=-999 required=5 tests=[AWL=-0.058, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsoKEhqc8YgQ; Mon, 18 May 2009 09:44:27 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 293B03A69F8; Mon, 18 May 2009 09:44:27 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65up-000PlX-Jc for namedroppers-data0@psg.com; Mon, 18 May 2009 16:42:15 +0000 Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M65ud-000PgS-Hh for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:42:09 +0000 Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id DD6D7C2DA3; Mon, 18 May 2009 17:35:25 +0100 (BST) Date: Mon, 18 May 2009 17:33:58 +0100 From: Alex Bligh Reply-To: Alex Bligh To: Paul Hoffman , Florian Weimer , namedroppers@ops.ietf.org cc: Alex Bligh Subject: Re: [dnsext] Increasing hash collision resilience Message-ID: <657C3F2AEF32EF82F184504D@Ximines.local> In-Reply-To: References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --On 18 May 2009 07:05:02 -0700 Paul Hoffman wrote: > I do *not* support the use of randomized hashing for DNSSEC; the use of > already-defined better hash algorithms (SHA-256) is a much better option. Assuming that Florian's suggestion was not to mandate use of a nonce now, but merely to consider permitting it by adopting a draft that would document how a reserved type code could be used for this, I don't really see the harm. What is the harm you see? As a wider point, this may be my IETF process naivety, but it seems to me that there might be too high a threshold in this group in getting a draft adopted as a w/g draft for discussion. As I understand it, adopting a draft for discussion does not imply support (let alone unconditional support) for supporting it at last call stage. This result risks shutting down potentially viable ideas before they have had the chance to even be properly considered or explained. I appreciate this may be the result of the w/g charter. Florian's proposal seems an ideal example of this. Yes, using SHA-256 is going to be "better" than SHA-1 in defeating SHA-1 preimage/collision attacks, but on the other hand it would appear (if I understand it right) to offer a means of expanding the life of *any* hash that is in the position SHA-1 is now (i.e. next most easy to find a preimage/collision attack). We don't know that's the case, because I haven't had the benefit of Florian writing up a draft, but it seems to me too early to say it is valueless. If this is right, it could be used to extend the life of SHA-256 similarly. -- Alex Bligh -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 09:54:44 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B71B43A6DD0; Mon, 18 May 2009 09:54:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UN0CH0o1pI0k; Mon, 18 May 2009 09:54:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B99003A7039; Mon, 18 May 2009 09:54:38 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M664k-0001OU-2d for namedroppers-data0@psg.com; Mon, 18 May 2009 16:52:30 +0000 Received: from [209.85.217.207] (helo=mail-gx0-f207.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M664V-0001KM-CK for namedroppers@ops.ietf.org; Mon, 18 May 2009 16:52:22 +0000 Received: by gxk3 with SMTP id 3so6957483gxk.17 for ; Mon, 18 May 2009 09:51:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.82.17 with SMTP id f17mr6070970agb.41.1242665517475; Mon, 18 May 2009 09:51:57 -0700 (PDT) In-Reply-To: <20090518081043.GC936@nic.fr> References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> Date: Mon, 18 May 2009 09:51:57 -0700 Message-ID: Subject: [dnsext] Re: DNSCURVE From: Matthew Dempsky To: Stephane Bortzmeyer Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 1:10 AM, Stephane Bortzmeyer wr= ote: > I would be > sufficiently happy with a detailed description of the protocol (the > closest thing to a specification seems to be > ) Do you have specific examples of where you think additional details would be helpful? (I've implemented DNSCurve support in two separate products so far, and I thought the existing documentation was reasonably clear, but I realize what's clear to me may differ from what's clear to others.) > Integrity despite =A0 =A0 =A0 =A0 Protects against =A0 =A0 =A0 =A0 Does n= ot protect against > rogue secondary name =A0 =A0 =A0it =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 it > servers of resolvers Somewhat agree. I don't have much more time to reply to emails right now, so I'll just offer an IOU to expand upon this later. > Ability to follow =A0 =A0 =A0 =A0 The actual algo- =A0 =A0 =A0 =A0 Only o= ne algorithm, > the progress in =A0 =A0 =A0 =A0 =A0 rithm is not hardwired =A0 if it is b= roken, > cryptography =A0 =A0 =A0 =A0 =A0 =A0 =A0in the protocol. New =A0 =A0 ever= ything is over. > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0algos can be added. The DNSCurve spec allows the public key to appear anywhere in the name server's name. If the security of Curve25519/XSalsa20/Poly1305 becomes questionable, it would be possible to put together a DNSCurve 2 spec using the same basic framework but new algorithms and new magic string constants, and then for administrators to update their NS records again to signal support for both (and then to eventually transition to supporting just one again). Similarly, if a DNSSEC algorithm's security becomes questionable, there will be a transition period where servers will have to publish public keys and/or have to sign records under both old and new algorithms. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 10:36:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2EDAC3A6B4C; Mon, 18 May 2009 10:36:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.411 X-Spam-Level: X-Spam-Status: No, score=-2.411 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2s4nYPQT9DPB; Mon, 18 May 2009 10:36:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 14DFE3A69D1; Mon, 18 May 2009 10:36:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M66iU-0006Fp-TD for namedroppers-data0@psg.com; Mon, 18 May 2009 17:33:35 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M66iH-0006D8-Pm for namedroppers@ops.ietf.org; Mon, 18 May 2009 17:33:27 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4IHWtsO096072 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 May 2009 10:32:56 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <657C3F2AEF32EF82F184504D@Ximines.local> References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <657C3F2AEF32EF82F184504D@Ximines.local> Date: Mon, 18 May 2009 10:32:54 -0700 To: Alex Bligh , Florian Weimer , namedroppers@ops.ietf.org From: Paul Hoffman Subject: Re: [dnsext] Increasing hash collision resilience Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 5:33 PM +0100 5/18/09, Alex Bligh wrote: >--On 18 May 2009 07:05:02 -0700 Paul Hoffman wrote: > >>I do *not* support the use of randomized hashing for DNSSEC; the use of >>already-defined better hash algorithms (SHA-256) is a much better option. > >Assuming that Florian's suggestion was not to mandate use of a nonce now, >but merely to consider permitting it by adopting a draft that would >document how a reserved type code could be used for this, I don't >really see the harm. What is the harm you see? Yet another option with semantics that only make sense to security weenies like us. "Hey, there is this new option and the RFC says it might be safer than SHA-256". "If it's safer than SHA-256, we had better use it. Turn it on." "Do we have a good unpredictable source of randomness?" "Yeah, sure, I think." >As a wider point, this may be my IETF process naivety, but it seems >to me that there might be too high a threshold in this group in getting >a draft adopted as a w/g draft for discussion. As I understand it, >adopting a draft for discussion does not imply support (let alone >unconditional support) for supporting it at last call stage. This >result risks shutting down potentially viable ideas before they have >had the chance to even be properly considered or explained. I appreciate >this may be the result of the w/g charter. I think the five-person rule is reasonable. What number would you propose instead? >Florian's proposal seems an ideal example of this. Yes, using SHA-256 >is going to be "better" than SHA-1 in defeating SHA-1 preimage/collision >attacks, but on the other hand it would appear (if I understand it >right) to offer a means of expanding the life of *any* hash that >is in the position SHA-1 is now (i.e. next most easy to find >a preimage/collision attack). Correct. In fact, randomized hashing can be used with MD5 to make MD5-with-randomized-hashing provably more secure than our current use of SHA-1. (Yes, I threw that in just to show how confusing this all can be; it's true, nonetheless.) > We don't know that's the case, because >I haven't had the benefit of Florian writing up a draft, but it seems >to me too early to say it is valueless. If this is right, it could >be used to extend the life of SHA-256 similarly. I didn't say "valueless", I said that I thought that the other solutions were better than his proposed solution. I have said that in the similar discussion in the PKIX WG. If all we care about is "strongest crypto", randomized hashing helps. If we care about its operational use, I think it hurts. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 10:46:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A8A863A704B; Mon, 18 May 2009 10:46:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.261 X-Spam-Level: X-Spam-Status: No, score=-5.261 tagged_above=-999 required=5 tests=[AWL=-0.213, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7EC9jZGZAH99; Mon, 18 May 2009 10:46:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 17D843A706C; Mon, 18 May 2009 10:46:14 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M66sn-0007xZ-LV for namedroppers-data0@psg.com; Mon, 18 May 2009 17:44:13 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M66sa-0007vY-7o for namedroppers@ops.ietf.org; Mon, 18 May 2009 17:44:07 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4IHh5sI028010; Mon, 18 May 2009 10:43:07 -0700 (PDT) Cc: Nicholas Weaver , Stephane Bortzmeyer , namedroppers@ops.ietf.org Message-Id: From: Nicholas Weaver To: Matthew Dempsky In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Re: DNSCURVE Date: Mon, 18 May 2009 10:43:05 -0700 References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 18, 2009, at 9:51 AM, Matthew Dempsky wrote: > The DNSCurve spec allows the public key to appear anywhere in the name > server's name. If the security of Curve25519/XSalsa20/Poly1305 > becomes questionable, it would be possible to put together a DNSCurve > 2 spec using the same basic framework but new algorithms and new magic > string constants, and then for administrators to update their NS > records again to signal support for both (and then to eventually > transition to supporting just one again). Correct me if I'm wrong, but doesn't DNSSEC's key encoding process effectively limit public key length? Thus, isn't it reliant on ECC and specific elliptic curves, because of the need to fit a full public key (not just a fingerprint) in a 64 character, case-insensitive DNS name? -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:08:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEA943A6DA6; Mon, 18 May 2009 11:08:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUnfaB8DD1MP; Mon, 18 May 2009 11:08:22 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 19A1B3A6C83; Mon, 18 May 2009 11:08:22 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67D0-000BQX-0c for namedroppers-data0@psg.com; Mon, 18 May 2009 18:05:06 +0000 Received: from [209.85.216.103] (helo=mail-px0-f103.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67Cn-000BNL-9n for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:04:58 +0000 Received: by pxi1 with SMTP id 1so2393458pxi.5 for ; Mon, 18 May 2009 11:04:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.200.3 with SMTP id x3mr1501067wff.102.1242669883268; Mon, 18 May 2009 11:04:43 -0700 (PDT) In-Reply-To: References: <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> Date: Mon, 18 May 2009 11:04:43 -0700 Message-ID: Subject: Re: [dnsext] Re: DNSCURVE From: Matthew Dempsky To: Nicholas Weaver Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 10:43 AM, Nicholas Weaver wrote: > Correct me if I'm wrong, but doesn't DNSSEC's key encoding process > effectively limit public key length? You mean DNSCurve, not DNSSEC, right? But, yes, it does. > Thus, isn't it reliant on ECC and specific elliptic curves, because of the > need to fit a full public key (not just a fingerprint) in a 64 character, > case-insensitive DNS name? Well, it needs to fit a full public key in a ~255 character case-insensitive name. Curve25519 public keys are small enough to fit into a single label, so for simplicity, DNSCurve does just that. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:13:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75FEF3A6814; Mon, 18 May 2009 11:13:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.334 X-Spam-Level: X-Spam-Status: No, score=-0.334 tagged_above=-999 required=5 tests=[AWL=-0.734, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9wAnHrpB+Z6r; Mon, 18 May 2009 11:13:18 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7B7113A6A4C; Mon, 18 May 2009 11:13:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67Ir-000C7S-Nw for namedroppers-data0@psg.com; Mon, 18 May 2009 18:11:09 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67IT-000C36-LE for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:11:02 +0000 Received: from crankycanuck.ca (CPE00212980eb9c-CM00194757af08.cpe.net.cable.rogers.com [99.249.242.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id EEE1C2FE9582 for ; Mon, 18 May 2009 18:10:41 +0000 (UTC) Date: Mon, 18 May 2009 14:10:40 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Increasing hash collision resilience Message-ID: <20090518181040.GS4057@shinkuro.com> References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <657C3F2AEF32EF82F184504D@Ximines.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <657C3F2AEF32EF82F184504D@Ximines.local> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 05:33:58PM +0100, Alex Bligh wrote: > to me that there might be too high a threshold in this group in getting > a draft adopted as a w/g draft for discussion. As I understand it, > adopting a draft for discussion does not imply support (let alone > unconditional support) for supporting it at last call stage. Olafur posted a point of order on that very issue just the other day. Our five-reviewer limit is a requirement that we actually have five people who will complete the WG's commitment to review the document if and when it comes up for WGLC. It in no way implies that the document will in fact proceed from the WG to the IESG, because we can't possibly know whether all the reviewers will be willing to say, "Yes this is a good idea." And, frankly, if we can't find 5 people who are willing to review a document and say it's a good idea, then I am perfectly happy concluding that it is not ready for publication as a product of the WG. The reason we need to get commitment of five people to do the review in the first place is because, historically, we have had a problem with the WG agreeing to take on work, but then not completing review of the draft. The result is that we end up with frustrated editors who can't get their drafts out the door for want of review. None of this is to say that I-Ds that haven't actually been adopted by the WG are off-topic for this list. If an I-D has something to say about the DNS and it's not already being worked on elsewhere, don't hesitate to bring it up here. Similarly, calls to participate in other WGs because there are DNS implications "over there" are quite reasonable. A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:14:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 915C43A6C40; Mon, 18 May 2009 11:14:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.549 X-Spam-Level: X-Spam-Status: No, score=-0.549 tagged_above=-999 required=5 tests=[AWL=-0.054, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXb7MlPyeLpR; Mon, 18 May 2009 11:14:32 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id ACF403A6DA6; Mon, 18 May 2009 11:14:32 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67K3-000CHf-JA for namedroppers-data0@psg.com; Mon, 18 May 2009 18:12:23 +0000 Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67Jd-000CDk-Hk for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:12:08 +0000 Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id 159A1C2DA3; Mon, 18 May 2009 19:11:52 +0100 (BST) Date: Mon, 18 May 2009 19:10:25 +0100 From: Alex Bligh Reply-To: Alex Bligh To: Paul Hoffman , Florian Weimer , namedroppers@ops.ietf.org cc: Alex Bligh Subject: Re: [dnsext] Increasing hash collision resilience Message-ID: <98639C8E6C49737790C1570A@Ximines.local> In-Reply-To: References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <657C3F2AEF32EF82F184504D@Ximines.local> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --On 18 May 2009 10:32:54 -0700 Paul Hoffman wrote: > "If it's safer than SHA-256, we had better use it. Turn it on." "Do we > have a good unpredictable source of randomness?" "Yeah, sure, I think." If not, do we not have larger problems? >> As a wider point, this may be my IETF process naivety, but it seems >> to me that there might be too high a threshold in this group in getting >> a draft adopted as a w/g draft for discussion. As I understand it, >> adopting a draft for discussion does not imply support (let alone >> unconditional support) for supporting it at last call stage. This >> result risks shutting down potentially viable ideas before they have >> had the chance to even be properly considered or explained. I appreciate >> this may be the result of the w/g charter. > > I think the five-person rule is reasonable. What number would you propose > instead? I was not necessarily proposing a change to the five person rule. My observation (and as I say, it may be down to IETF process naivety on my part) was that perhaps people were expressing views against adoption at an early stage which would preclude a proper evaluation of an idea which is at least worth evaluating. This wasn't meant as a criticism of you in particular, Paul, in any way; the same issue came up with EDNS ping where someone (I forget who) volunteered to review the draft on the explicit basis that this didn't indicate support for it (and it was reasonably obvious it wasn't their favourite idea) but thought that at least it should be properly evaluated. -- Alex Bligh -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:16:10 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8CF23A6E36; Mon, 18 May 2009 11:16:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.257 X-Spam-Level: X-Spam-Status: No, score=-5.257 tagged_above=-999 required=5 tests=[AWL=-0.209, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kI3euhZduFL6; Mon, 18 May 2009 11:16:05 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1E05D3A6CAF; Mon, 18 May 2009 11:15:43 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67LP-000CTC-Tj for namedroppers-data0@psg.com; Mon, 18 May 2009 18:13:47 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67LD-000CR6-5u for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:13:41 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4IIDVfc003629; Mon, 18 May 2009 11:13:32 -0700 (PDT) Cc: Nicholas Weaver , namedroppers@ops.ietf.org Message-Id: From: Nicholas Weaver To: Matthew Dempsky In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Re: DNSCURVE Date: Mon, 18 May 2009 11:13:31 -0700 References: <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 18, 2009, at 11:04 AM, Matthew Dempsky wrote: > On Mon, May 18, 2009 at 10:43 AM, Nicholas Weaver > wrote: >> Correct me if I'm wrong, but doesn't DNSSEC's key encoding process >> effectively limit public key length? > > You mean DNSCurve, not DNSSEC, right? But, yes, it does. Yeah, thats what I meant. >> Thus, isn't it reliant on ECC and specific elliptic curves, because >> of the >> need to fit a full public key (not just a fingerprint) in a 64 >> character, >> case-insensitive DNS name? > > Well, it needs to fit a full public key in a ~255 character > case-insensitive name. Curve25519 public keys are small enough to fit > into a single label, so for simplicity, DNSCurve does just that. But why use a name at all? Since this uses changes on both authorities and resolvers, why not use the TKEY resource record? I'm not a huge fan of DNSEC, but I'm even less a fan of DNSCurve, because the design seems based on a very primitive notion of DNS records, eg, by forcing the key encoding into a name rather than a real resource record. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:19:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1C583A6846; Mon, 18 May 2009 11:19:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.412 X-Spam-Level: X-Spam-Status: No, score=-2.412 tagged_above=-999 required=5 tests=[AWL=0.187, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cppEJlgWGnaz; Mon, 18 May 2009 11:19:54 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E92883A6F8A; Mon, 18 May 2009 11:19:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67PG-000CyE-HX for namedroppers-data0@psg.com; Mon, 18 May 2009 18:17:46 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67P2-000Cvs-T7 for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:17:39 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4IIHQ0u099047 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 May 2009 11:17:27 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> Date: Mon, 18 May 2009 11:17:25 -0700 To: Nicholas Weaver , Matthew Dempsky From: Paul Hoffman Subject: Re: [dnsext] Re: DNSCURVE Cc: Nicholas Weaver , Stephane Bortzmeyer , namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 10:43 AM -0700 5/18/09, Nicholas Weaver wrote: >Thus, isn't it reliant on ECC and specific elliptic curves, because of the need to fit a full public key (not just a fingerprint) in a 64 character, case-insensitive DNS name? It is reliant on ECC and *specific key sizes* to fit in a 64 character, case-insensitive DNS name. Any ECC key with a 256-bit key will work fine in the DNSCurve encoding scheme. For example, the coding would work fine with the NIST/NSA P256 curve. (And, for those who have lost their score chart, that's the equivalent of a 3048-bit RSA key.) --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:50:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9248028C11A; Mon, 18 May 2009 11:50:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.545 X-Spam-Level: X-Spam-Status: No, score=-0.545 tagged_above=-999 required=5 tests=[AWL=-0.050, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0TzG85k9zYMH; Mon, 18 May 2009 11:50:05 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B7D873A6966; Mon, 18 May 2009 11:50:05 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67qf-000GMK-Cy for namedroppers-data0@psg.com; Mon, 18 May 2009 18:46:05 +0000 Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67qS-000GLL-MB for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:45:58 +0000 Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id C367AC2DA3; Mon, 18 May 2009 19:45:37 +0100 (BST) Date: Mon, 18 May 2009 19:44:08 +0100 From: Alex Bligh Reply-To: Alex Bligh To: Paul Hoffman , Nicholas Weaver , Matthew Dempsky cc: Nicholas Weaver , Stephane Bortzmeyer , namedroppers@ops.ietf.org, Alex Bligh Subject: Re: [dnsext] Re: DNSCURVE Message-ID: In-Reply-To: References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --On 18 May 2009 11:17:25 -0700 Paul Hoffman wrote: > It is reliant on ECC and *specific key sizes* to fit in a 64 character, > case-insensitive DNS name. Any ECC key with a 256-bit key will work fine > in the DNSCurve encoding scheme. But, if I understand it, only one particular ECC scheme is specified in DNSCurve (i.e. there is no algorithm agility) and we don't have an IPR statement on it (or at least not in the IETF required manner). Also, if I understand it, any advantages to DNSCurve in raw crypto terms could be duplicated by mandating equivalent ECC algorithms within DNSSEC. -- Alex Bligh -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:50:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E70828C227; Mon, 18 May 2009 11:50:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnyubCZeZdZX; Mon, 18 May 2009 11:50:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 71BC128C11A; Mon, 18 May 2009 11:50:21 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67st-000Gai-51 for namedroppers-data0@psg.com; Mon, 18 May 2009 18:48:23 +0000 Received: from [209.85.216.103] (helo=mail-px0-f103.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67sg-000GWD-EU for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:48:16 +0000 Received: by pxi1 with SMTP id 1so2410981pxi.5 for ; Mon, 18 May 2009 11:47:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.19.16 with SMTP id w16mr2158154wfi.343.1242672470655; Mon, 18 May 2009 11:47:50 -0700 (PDT) In-Reply-To: References: <20090518081043.GC936@nic.fr> Date: Mon, 18 May 2009 11:47:50 -0700 Message-ID: Subject: Re: [dnsext] Re: DNSCURVE From: Matthew Dempsky To: Nicholas Weaver Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 11:13 AM, Nicholas Weaver wrote: > But why use a name at all? You have to publish them somehow, and registrars already support publishing them through names. > Since this uses changes on both authorities and resolvers, why not use the > TKEY resource record? To meet the DNSCurve design goal of not requiring additional packets, that would require modifying the DNS content servers to additionally serve TKEY records with delegations. Also, it would require modifying web user interfaces to support entering TKEY records. > I'm not a huge fan of DNSEC, but I'm even less a fan of DNSCurve, because > the design seems based on a very primitive notion of DNS records, eg, by > forcing the key encoding into a name rather than a real resource record. Yeah, using new record types would be cleaner, but I think this is a more pragmatic solution. If this is a sticking point, I'd be happy to discuss ways to distribute public keys without depending on the name server's name (e.g., additional record types which would require content server and admin dashboard changes). However, to accelerate adoption, I think the currently proposed encoding scheme has its merits. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 11:52:14 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A88ED3A6D85; Mon, 18 May 2009 11:52:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.105 X-Spam-Level: **** X-Spam-Status: No, score=4.105 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_RU=0.595, HELO_MISMATCH_RU=3.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8ki0uO0osZY; Mon, 18 May 2009 11:52:11 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A730A3A6C87; Mon, 18 May 2009 11:52:11 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67ve-000GyJ-3V for namedroppers-data0@psg.com; Mon, 18 May 2009 18:51:14 +0000 Received: from [87.245.158.60] (helo=mx.cryptocom.ru) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M67vR-000Gsi-5H for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:51:07 +0000 Received: from localhost (localhost [127.0.0.1]) by mx.cryptocom.ru (Postfix) with ESMTP id 2EC813EC06; Mon, 18 May 2009 22:50:45 +0400 (MSD) X-Virus-Scanned: Debian amavisd-new at cryptocom.ru Received: from mx.cryptocom.ru ([127.0.0.1]) by localhost (mx.cryptocom.ru [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 3aaxaNty8d9A; Mon, 18 May 2009 22:50:44 +0400 (MSD) Received: from [192.168.63.201] (unknown [91.78.158.131]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.cryptocom.ru (Postfix) with ESMTP id 698A33EC05; Mon, 18 May 2009 22:50:39 +0400 (MSD) Message-ID: <4A11ADFE.8050102@cryptocom.ru> Date: Mon, 18 May 2009 22:50:38 +0400 From: Basil Dolmatov User-Agent: Thunderbird 2.0.0.21 (X11/20090409) MIME-Version: 1.0 To: Paul Hoffman CC: Nicholas Weaver , Matthew Dempsky , Stephane Bortzmeyer , namedroppers@ops.ietf.org Subject: Re: [dnsext] Re: DNSCURVE References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> In-Reply-To: Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul Hoffman пишет: 
At 10:43 AM -0700 5/18/09, Nicholas Weaver wrote:
  
Thus, isn't it reliant on ECC and specific elliptic curves, because of the need to fit a full public key (not just a fingerprint) in a 64 character, case-insensitive DNS name?
    

It is reliant on ECC and *specific key sizes* to fit in a 64 character, case-insensitive DNS name. Any ECC key with a 256-bit key will work fine in the DNSCurve encoding scheme. For example, the coding would work fine with the NIST/NSA P256 curve. (And, for those who have lost their score chart, that's the equivalent of a 3048-bit RSA key.)
For GOST 34.10-2001 it would work fine too.

dol@


-- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:03:26 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECFC03A6A72; Mon, 18 May 2009 12:03:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ukx3ION7yhj1; Mon, 18 May 2009 12:03:26 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4899428C347; Mon, 18 May 2009 12:02:05 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6832-000Hv9-Va for namedroppers-data0@psg.com; Mon, 18 May 2009 18:58:52 +0000 Received: from [209.85.216.103] (helo=mail-px0-f103.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M682q-000Hss-51 for namedroppers@ops.ietf.org; Mon, 18 May 2009 18:58:46 +0000 Received: by pxi1 with SMTP id 1so2415066pxi.5 for ; Mon, 18 May 2009 11:58:39 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.159.1 with SMTP id l1mr2193918wfo.93.1242673119000; Mon, 18 May 2009 11:58:39 -0700 (PDT) In-Reply-To: References: <20090518081043.GC936@nic.fr> Date: Mon, 18 May 2009 11:58:38 -0700 Message-ID: Subject: Re: [dnsext] Re: DNSCURVE From: Matthew Dempsky To: Alex Bligh Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 11:44 AM, Alex Bligh wrote: > But, if I understand it, only one particular ECC scheme > is specified in DNSCurve (i.e. there is no algorithm agility) Yes, the current DNSCurve spec only specifies Curve25519. But like I've said, there's no fundamental reason a future DNSCurve v2 spec could be published using new algorithms. > and > we don't have an IPR statement on it (or at least not in the IETF > required manner). Dan has stated that he does not know of any patents that affect Curve25519: http://cr.yp.to/ecdh/patents.html. In his eSTREAM submission, he made the same statements about Salsa20: http://cr.yp.to/snuffle/ip.pdf Off hand, I don't know of any disclaimer about Poly1305, but I suspect he's willing to make the same claim about it as well. Additionally, there are optimized public domain implementations of Curve25519, XSalsa20, and Poly1305 for many architectures in the NaCl library at http://nacl.cace-project.eu/ > Also, if I understand it, any advantages to DNSCurve in raw crypto terms > could be duplicated by mandating equivalent ECC algorithms within > DNSSEC. That's not completely true. Much of DNSCurve's benefits come from being able to use secret-key cryptography for most normal work, whereas DNSSEC has to use public-key cryptography for every cryptographic operation. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:12:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B00A3A6CAC; Mon, 18 May 2009 12:12:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1S6CRlp-8q2; Mon, 18 May 2009 12:12:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 240923A6987; Mon, 18 May 2009 12:12:14 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68Dw-000JQp-74 for namedroppers-data0@psg.com; Mon, 18 May 2009 19:10:08 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68Df-000JNE-BW for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:09:58 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4IJ9fM3003338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 May 2009 12:09:42 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> Date: Mon, 18 May 2009 12:09:40 -0700 To: Alex Bligh , Nicholas Weaver , Matthew Dempsky From: Paul Hoffman Subject: Re: [dnsext] Re: DNSCURVE Cc: Nicholas Weaver , Stephane Bortzmeyer , namedroppers@ops.ietf.org, Alex Bligh Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 7:44 PM +0100 5/18/09, Alex Bligh wrote: >--On 18 May 2009 11:17:25 -0700 Paul Hoffman wrote: > >>It is reliant on ECC and *specific key sizes* to fit in a 64 character, >>case-insensitive DNS name. Any ECC key with a 256-bit key will work fine >>in the DNSCurve encoding scheme. > >But, if I understand it, only one particular ECC scheme >is specified in DNSCurve (i.e. there is no algorithm agility) and >we don't have an IPR statement on it (or at least not in the IETF >required manner). This is why I was hammering to have a stable document (or, as we ended up with, a stable web site) that I could comment on. One of the primary questions for the *protocol* is whether different curves could be used. This WG might love the protocol but want to use a more heavily-reviewed curve such as P-256. >Also, if I understand it, any advantages to DNSCurve in raw crypto terms >could be duplicated by mandating equivalent ECC algorithms within >DNSSEC. No, that's completely wrong. The DNSCurve protocol has completely different properties than DNSSEC. The DNSCurve protocol encrypts and authenticates all DNS queries and responses. DNSCurve queries and responses have cryptographic nonces to add integrity. The authoritative server is doing cryptographic calculations for every request (as compared to DNSSEC, where the authoritative server is just sending out pre-calculated responses). --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:29:21 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A71C13A6CEE; Mon, 18 May 2009 12:29:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.542 X-Spam-Level: X-Spam-Status: No, score=-0.542 tagged_above=-999 required=5 tests=[AWL=-0.047, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPM7k3DUIkCv; Mon, 18 May 2009 12:29:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E455E28C332; Mon, 18 May 2009 12:29:17 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68Tl-000La0-2L for namedroppers-data0@psg.com; Mon, 18 May 2009 19:26:29 +0000 Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68TY-000LY4-Cl for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:26:22 +0000 Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id CE305C2DA3; Mon, 18 May 2009 20:26:12 +0100 (BST) Date: Mon, 18 May 2009 20:24:43 +0100 From: Alex Bligh Reply-To: Alex Bligh To: Paul Hoffman , Nicholas Weaver , Matthew Dempsky cc: Nicholas Weaver , Stephane Bortzmeyer , namedroppers@ops.ietf.org, Alex Bligh Subject: Re: [dnsext] Re: DNSCURVE Message-ID: <683D1FAB2CC4F56DB1E55029@Ximines.local> In-Reply-To: References: <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090518081043.GC936@nic.fr> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --On 18 May 2009 12:09:40 -0700 Paul Hoffman wrote: > The authoritative server is doing cryptographic calculations for every > request (as compared to DNSSEC, where the authoritative server is just > sending out pre-calculated responses). Ah - I had (mis)remembered that the ECC algorithm itself was only used for precalculated public key crypto in DNSCURVE. -- Alex Bligh -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:29:23 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4C2D3A6D2E; Mon, 18 May 2009 12:29:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.651 X-Spam-Level: * X-Spam-Status: No, score=1.651 tagged_above=-999 required=5 tests=[AWL=-0.512, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ZSbph-UR9fj; Mon, 18 May 2009 12:29:12 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0DD223A6A80; Mon, 18 May 2009 12:29:12 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68Ui-000Lgb-5G for namedroppers-data0@psg.com; Mon, 18 May 2009 19:27:28 +0000 Received: from [209.86.89.68] (helo=elasmtp-masked.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68UV-000Lf3-4T for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:27:21 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=iLIef2Rpjkut2356/Pr7vfYnrFr5qv8O2GGH07UgrG/RJC64mlc7CT7S+zmTjhj/; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.93] (helo=ix.netcom.com) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M68UN-0008WQ-TL; Mon, 18 May 2009 15:27:08 -0400 Message-ID: <4A11B67E.610DE3D3@ix.netcom.com> Date: Mon, 18 May 2009 12:26:55 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Dean Anderson CC: Paul Vixie , namedroppers@ops.ietf.org, namedroppers-honest@lists.iadl.org Subject: Re: [Namedroppers-honest] [dnsext] DNSCURVE References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688223ca4f42b3d7093ebeb98e3ce8b951c350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.93 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Dean and all, I could not agree more. And thank you for you openness and transparency. Much appriciated by me! >:) Dean Anderson wrote: > On Sun, 17 May 2009, Paul Vixie wrote: > > > > Date: Sun, 17 May 2009 15:25:49 -0400 > > > From: Michael StJohns > > > ... > > > If the proponents of DNSCURVE want it to be considered by the working > > > group, I suggest they would have better luck submitting an ID for the > > > group's consideration ... > > > > i think the dnscurve folks have made clear that they don't care whether > > IETF takes up their work or not. but here we see some cracks in the IETF > > model. for one thing, lack of interest in IETF's processes on the part of > > a technology's creators should not be a disqualifier. > > Actually, Dr. Bernstein's "lack of interest" in IETF processes is due to > maltreatment of many people including himself, on this Working Group. > > The cracks in the IETF model are purely due to the failure of the IETF > leadership to honestly adhere to that model. > > Steve Crocker wrote an editorial for the NY Times recently that > trumpeted many things about the IETF that haven't been found in the > record, well, since Jon Postel died: Critics are silenced, conflicts of > interest are baldly exploited, complaints ignored; dishonesty abounds. > > Http://www.av8.net/IETF-watch > > -- > Av8 Internet Prepared to pay a premium for better service? > www.av8.net faster, more reliable, better service > 617 344 9000 > > _______________________________________________ > Namedroppers-honest mailing list > Namedroppers-honest@lists.iadl.org > http://lists.iadl.org/mailman/listinfo/namedroppers-honest Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:31:24 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2845028C111; Mon, 18 May 2009 12:31:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.01 X-Spam-Level: *** X-Spam-Status: No, score=3.01 tagged_above=-999 required=5 tests=[AWL=-1.850, BAYES_50=0.001, FH_RELAY_NODNS=1.451, FRT_POSSIBLE=2.697, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gnafewxz8S5f; Mon, 18 May 2009 12:31:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 130BA28C263; Mon, 18 May 2009 12:31:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68Ww-000M0S-Kv for namedroppers-data0@psg.com; Mon, 18 May 2009 19:29:46 +0000 Received: from [209.86.89.65] (helo=elasmtp-kukur.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68Wj-000LyG-I3 for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:29:40 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=r82s9Qagt/bSXOiLaWF6FtQqwbMBVjNvnGY9aMP9hdwJ0aBbLg17YaMclzTUr52o; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.93] (helo=ix.netcom.com) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M68Wi-0004ch-7K; Mon, 18 May 2009 15:29:32 -0400 Message-ID: <4A11B70F.9786F413@ix.netcom.com> Date: Mon, 18 May 2009 12:29:19 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Florian Weimer CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] Increasing hash collision resilience References: <82eiumzw0c.fsf@mid.bfk.de> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e5196068821f391967e3778d6e448fd6c5cce930f350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.93 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Florian and all, Good suggestion. Florian Weimer wrote: > Currently, DNSSEC is rather exposed to near-state-of-the-art collision > attacks when the signature on DS records is computed. (This data > comes from a potential attacker. Other signatures cover self-created > data and are thus not subject to current attacks, except for > signatures on externally submitted zone contents, but this can be > addressed by delegation.) > > In order to counter these attacks, it's possible (and recommended) to > prefix the signed document with a nonce. Currently, there is no good > way to do this. However, it would be posssible to put this nonce into > a DS record with the Digest Type 0, Key Tag 0, which is currently > reserved. > > Is there interest in a draft which sets aside Digest Type 0 for this > purpose? Any other Digest Type doesn't work because > attacker-controlled data might sort in front of it. > > No change in authoritative reservers, resolvers, or validators are > required beyond relaxation of overly restrict checks on DNSSEC Digest > Types. Only zone signers need to be updated to generate the nonces. > > -- > Florian Weimer > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstraße 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99 > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:33:52 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C89FD28C30E; Mon, 18 May 2009 12:33:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAKw3wNcwCgv; Mon, 18 May 2009 12:33:52 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F2FF028C2B9; Mon, 18 May 2009 12:33:51 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68ZO-000MUb-B8 for namedroppers-data0@psg.com; Mon, 18 May 2009 19:32:18 +0000 Received: from [209.85.222.187] (helo=mail-pz0-f187.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68ZC-000MRw-4D for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:32:12 +0000 Received: by pzk17 with SMTP id 17so2517758pzk.5 for ; Mon, 18 May 2009 12:32:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.204.11 with SMTP id b11mr2160149wfg.208.1242675124785; Mon, 18 May 2009 12:32:04 -0700 (PDT) Date: Mon, 18 May 2009 12:32:04 -0700 Message-ID: Subject: Re: [dnsext] Re: DNSCurve From: Matthew Dempsky To: Alex Bligh Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 12:24 PM, Alex Bligh wrote: > Ah - =A0I had (mis)remembered that the ECC algorithm itself was only used= for > precalculated public key crypto in DNSCURVE. I think you mean DNSSEC here. DNSCurve does not "precalculate" anything, though it does allow for caching of Diffie-Hellman shared secrets. Also, because it's becoming increasingly common, let me take the opportunity to point out that the correct capitalization is DNSCurve, not DNSCURVE. I've also corrected the subject line for this. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:34:45 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDA4F28C333; Mon, 18 May 2009 12:34:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.397 X-Spam-Level: X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[AWL=0.834, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qD3Gjo+qCJ3e; Mon, 18 May 2009 12:34:44 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B589A28C32C; Mon, 18 May 2009 12:34:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68aH-000MeY-TH for namedroppers-data0@psg.com; Mon, 18 May 2009 19:33:13 +0000 Received: from [209.86.89.67] (helo=elasmtp-scoter.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68a2-000Mba-NU for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:33:04 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=bl7zM6YGm5xJ51wDxuKhwV2nF1fczySUqCUZZQSe85By0UqcVCaD8Ppq8lq2g1fd; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.93] (helo=ix.netcom.com) by elasmtp-scoter.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M68Zy-0008Cd-TT; Mon, 18 May 2009 15:32:55 -0400 Message-ID: <4A11B7DA.5C6FF93C@ix.netcom.com> Date: Mon, 18 May 2009 12:32:42 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Aki Tuomi CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688c74e35971736c4094e87e05f42417954350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.93 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Aki and all, finnaly some truth telling. Thank you Aki! >:) Aki Tuomi wrote: > > -----Original Message----- > > From: owner-namedroppers@ops.ietf.org [mailto:owner- > > namedroppers@ops.ietf.org] On Behalf Of Stephane Bortzmeyer > > Sent: Monday, May 18, 2009 11:17 AM > > To: Andrew Sullivan > > Cc: namedroppers@ops.ietf.org > > Subject: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE > > > > On Sun, May 17, 2009 at 03:48:35PM -0400, > > Andrew Sullivan wrote > > a message of 49 lines which said: > > > > > Nobody is suggesting that the DNSEXT WG is the be-all and end-all of > > > DNS, but in the IETF we have exactly one way to proceed, and that is > > > to work on Internet Drafts. If nobody is willing to write such a > > > draft, then we're out of luck. > > > > Which leads to a question (which is not only related to DNScurve but > > also to the EDNS-PING or cookies assassinations): what body is in > > charge of the DNS security? Not this WG, which only examinates things > > properly formatted as I-D, and is more and more a DNSSEC-only WG. So, > > who? ICANN SSAC? ITU WG-nnn? DNS-OARC? US DHS? Microsoft with its > > Conficker bounties? > > > > I suspect the answer is "No one does, that's the Internet way" but it > > may be too frightening for my little heart. > > > > I have a bad feeling that the correct answer (although they won't admit it) is that ISC is the one who decides. After all, their proponents seem to get the "final say" on how things are done. > > -- cm > > > -- > > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > > the word 'unsubscribe' in a single line as the message text body. > > archive: > ¶‹§²æìr¸›zǧu©ž²Æ zÚ'jg®Šiz»+z«ž²Ú)²'­~ŠàÂ+a¶°¢·nžË›±Êâmè§jȧ‚W¥Šwš²Ø^™ë,j­{[¡Üš­Èb½èm¶Ÿÿ¢›"z×è®åŠËlþv¦yÚ覗«s/== Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:46:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 588313A6AD8; Mon, 18 May 2009 12:46:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llg04Vda+tnz; Mon, 18 May 2009 12:46:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7B9D23A6E8D; Mon, 18 May 2009 12:45:56 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68kM-000O44-J4 for namedroppers-data0@psg.com; Mon, 18 May 2009 19:43:38 +0000 Received: from [209.85.200.172] (helo=wf-out-1314.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68k9-000O1P-Uz for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:43:31 +0000 Received: by wf-out-1314.google.com with SMTP id 29so833581wff.32 for ; Mon, 18 May 2009 12:43:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.45.14 with SMTP id x14mr1991587wfj.329.1242675805032; Mon, 18 May 2009 12:43:25 -0700 (PDT) Date: Mon, 18 May 2009 12:43:25 -0700 Message-ID: Subject: Re: [dnsext] Re: DNSCurve From: Matthew Dempsky To: Alex Bligh Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 11:58 AM, Matthew Dempsky wro= te: >=A0Off hand, I don't know of any > disclaimer about Poly1305, but I suspect he's willing to make the same > claim about it as well. At http://cr.yp.to/mac.html, one of the listed features of Poly1305-AES is "No intellectual-property claims. I am not aware of any patents or patent applications relevant to Poly1305-AES." (Poly1305-AES is simply Poly1305 used in conjunction with AES; replacing AES with another cipher such as XSalsa20 is a trivial change.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:51:50 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA5BA3A68AC; Mon, 18 May 2009 12:51:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CyUxzp0x1wC; Mon, 18 May 2009 12:51:50 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0D23E3A6AD8; Mon, 18 May 2009 12:51:50 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68rC-000P0x-Dv for namedroppers-data0@psg.com; Mon, 18 May 2009 19:50:42 +0000 Received: from [209.85.200.173] (helo=wf-out-1314.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68qz-000OzL-1l for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:50:35 +0000 Received: by wf-out-1314.google.com with SMTP id 29so834630wff.32 for ; Mon, 18 May 2009 12:50:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.200.3 with SMTP id x3mr1619106wff.183.1242676228942; Mon, 18 May 2009 12:50:28 -0700 (PDT) In-Reply-To: References: Date: Mon, 18 May 2009 12:50:28 -0700 Message-ID: Subject: Re: [dnsext] Re: DNSCurve From: Matthew Dempsky To: Alex Bligh Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 12:50 PM, Alex Bligh wrote: > I meant DNSCurve, which is why I said "misremembered". Ah, I misinterpreted then. Sorry about that. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 12:53:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA8603A6E41; Mon, 18 May 2009 12:53:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.539 X-Spam-Level: X-Spam-Status: No, score=-0.539 tagged_above=-999 required=5 tests=[AWL=-0.044, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmUiwTKrcahv; Mon, 18 May 2009 12:53:01 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 272C83A6CDD; Mon, 18 May 2009 12:53:01 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68q0-000OpJ-Fe for namedroppers-data0@psg.com; Mon, 18 May 2009 19:49:28 +0000 Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M68po-000Onj-Gl for namedroppers@ops.ietf.org; Mon, 18 May 2009 19:49:22 +0000 Received: from [192.168.100.67] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id 8FD71C2DA3; Mon, 18 May 2009 20:49:09 +0100 (BST) Date: Mon, 18 May 2009 20:50:29 +0100 From: Alex Bligh Reply-To: Alex Bligh To: Matthew Dempsky cc: namedroppers@ops.ietf.org, Alex Bligh Subject: Re: [dnsext] Re: DNSCurve Message-ID: In-Reply-To: References: X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --On 18 May 2009 12:32:04 -0700 Matthew Dempsky = wrote: > On Mon, May 18, 2009 at 12:24 PM, Alex Bligh wrote: >> Ah - =C2=A0I had (mis)remembered that the ECC algorithm itself was only = used >> for precalculated public key crypto in DNSCURVE. > > I think you mean DNSSEC here. DNSCurve does not "precalculate" > anything, though it does allow for caching of Diffie-Hellman shared > secrets. I meant DNSCurve, which is why I said "misremembered". -- Alex Bligh -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 13:04:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CADD33A6D43; Mon, 18 May 2009 13:04:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.681 X-Spam-Level: * X-Spam-Status: No, score=1.681 tagged_above=-999 required=5 tests=[AWL=-0.482, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mj+dk1sGeb5k; Mon, 18 May 2009 13:04:01 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DAE113A6DF7; Mon, 18 May 2009 13:04:00 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M691D-000099-MH for namedroppers-data0@psg.com; Mon, 18 May 2009 20:01:03 +0000 Received: from [209.86.89.62] (helo=elasmtp-dupuy.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M690y-00007O-3c for namedroppers@ops.ietf.org; Mon, 18 May 2009 20:00:54 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=Y0r5DlRFzYGFuqa0YSR+hrxMPn5HfYJnRtF7kUeO/+O67vI2axzJU45G3Fr4p7/U; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.93] (helo=ix.netcom.com) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M690w-0005R0-Dx; Mon, 18 May 2009 16:00:47 -0400 Message-ID: <4A11BE61.44E473F3@ix.netcom.com> Date: Mon, 18 May 2009 13:00:33 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Andrew Sullivan CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE References: <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> <20090518092557.GB23462@vacation.karoshi.com.> <20090518132811.GD4057@shinkuro.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606885cc05df3eb6c833fa1307f3e9451f4eb350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.93 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Andrew and all, Heaven and the ISC, not being necessarly mutually exclusive, forbid! >:) Andrew Sullivan wrote: > [no hat] > > On Mon, May 18, 2009 at 09:25:57AM +0000, bmanning@vacation.karoshi.com wrote: > > > s/ISC/Dominat DNS implementors/ > > i.e. those with running code? > > A > > -- > Andrew Sullivan > ajs@shinkuro.com > Shinkuro, Inc. > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 13:05:35 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0D6C3A6F76; Mon, 18 May 2009 13:05:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.69 X-Spam-Level: * X-Spam-Status: No, score=1.69 tagged_above=-999 required=5 tests=[AWL=-0.473, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6lmIdZbIdD3J; Mon, 18 May 2009 13:05:35 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F16183A6D43; Mon, 18 May 2009 13:05:34 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6936-0000PQ-BB for namedroppers-data0@psg.com; Mon, 18 May 2009 20:03:00 +0000 Received: from [209.86.89.70] (helo=elasmtp-banded.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M692u-0000Ne-99 for namedroppers@ops.ietf.org; Mon, 18 May 2009 20:02:53 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=PpiMJ93YyDXek3xjJlI7L/NfE832DyQNoa61+3kZ7o2CsDNijb0toXB96EJn6ReE; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.93] (helo=ix.netcom.com) by elasmtp-banded.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M692r-0005Vg-BP; Mon, 18 May 2009 16:02:46 -0400 Message-ID: <4A11BED8.463E698A@ix.netcom.com> Date: Mon, 18 May 2009 13:02:32 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: bmanning@vacation.karoshi.com CC: Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE References: <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> <20090518092557.GB23462@vacation.karoshi.com.> <20090518132811.GD4057@shinkuro.com> <20090518134525.GA25815@vacation.karoshi.com.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606884a80e4d32e5f31b1d972c151dc99ea58350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.93 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Bill and all, Rather pursumptious my good fellow. >:) bmanning@vacation.karoshi.com wrote: > On Mon, May 18, 2009 at 09:28:11AM -0400, Andrew Sullivan wrote: > > [no hat] > > > > On Mon, May 18, 2009 at 09:25:57AM +0000, bmanning@vacation.karoshi.com wrote: > > > > > s/ISC/Dominat DNS implementors/ > > > > i.e. those with running code? > > one assumes that they achieve thier dominat position based on > use of running code - instead of being dominat in other traits, > YMMV... :) > > --bill > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 13:07:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 40E953A7041; Mon, 18 May 2009 13:07:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.699 X-Spam-Level: * X-Spam-Status: No, score=1.699 tagged_above=-999 required=5 tests=[AWL=-0.464, BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjrlXqCFNBGC; Mon, 18 May 2009 13:07:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 319313A7001; Mon, 18 May 2009 13:07:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M695L-0000k4-87 for namedroppers-data0@psg.com; Mon, 18 May 2009 20:05:19 +0000 Received: from [209.86.89.65] (helo=elasmtp-kukur.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6956-0000hE-QQ for namedroppers@ops.ietf.org; Mon, 18 May 2009 20:05:12 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=I4eJt+vEf/AUm5KiKhTMaNIeioLJTc0RLN4bH+gwePT+j4HJkzbk/R2HNNR14+Gs; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.93] (helo=ix.netcom.com) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M6953-00017K-AL; Mon, 18 May 2009 16:05:01 -0400 Message-ID: <4A11BF60.3A92EB30@ix.netcom.com> Date: Mon, 18 May 2009 13:04:48 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Hoffman CC: Florian Weimer , namedroppers@ops.ietf.org Subject: Re: [dnsext] Increasing hash collision resilience References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688af2ebb349b2855e053fa2509bb3de5e2350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.93 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul and all Agreed with your conclusion. However what is not necessarly "Published" is not necessarly not occuring. Paul Hoffman wrote: > At 2:56 PM +0200 5/18/09, Florian Weimer wrote: > >Right now, this is rather theoretical because a sufficiently potent > >attack for SHA-1 has not been published. > > Correct. In fact, not a single actual collision for SHA-1 has been published. > > >However, it is widely > >believed that such attacks are just around the corner. > > Could you point to some references on that? I have not heard anyone in the crypto community saying that. Of course, it depends on what you mean by "just around the corner". > > I do *not* support the use of randomized hashing for DNSSEC; the use of already-defined better hash algorithms (SHA-256) is a much better option. > > --Paul Hoffman, Director > --VPN Consortium > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 13:16:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 603303A6A0C; Mon, 18 May 2009 13:16:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.336 X-Spam-Level: * X-Spam-Status: No, score=1.336 tagged_above=-999 required=5 tests=[AWL=-0.086, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scDkIKmfLU+h; Mon, 18 May 2009 13:16:40 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1A2A53A68AC; Mon, 18 May 2009 13:16:40 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M69EO-0001yU-7n for namedroppers-data0@psg.com; Mon, 18 May 2009 20:14:40 +0000 Received: from [209.86.89.69] (helo=elasmtp-mealy.atl.sa.earthlink.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M69EB-0001wU-73 for namedroppers@ops.ietf.org; Mon, 18 May 2009 20:14:33 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=p5Prxa6kMCWomsEWO+bAZ7QsVG7U8q1bR787q1WIT+VU5Db1fNaOYZBZlsg7GUyX; h=Received:Message-ID:Date:From:Organization:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [4.227.102.93] (helo=ix.netcom.com) by elasmtp-mealy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1M69E6-0000FD-Gy; Mon, 18 May 2009 16:14:23 -0400 Message-ID: <4A11C191.5D299FE1@ix.netcom.com> Date: Mon, 18 May 2009 13:14:09 -0700 From: "Jeffrey A. Williams" Organization: IDNS and Spokesman for INEGroup X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Paul Vixie CC: Aki Tuomi , namedroppers@ops.ietf.org Subject: Re: [dnsext] Security of the DNS, holistic approach (Was: DNSCURVE References: <20090516000313.GA19843@vacation.karoshi.com.> <4A0E307D.3060208@acm.org> <4A0EEC5A.2020708@post.harvard.edu> <20090517194834.GA3819@shinkuro.com> <20090518081713.GD936@nic.fr> <86048CA3B4B17E459FFD4F3F383AD88F13F27BF0@fi-hel2ex01.nordiclan.net> <99449.1242655549@nsa.vix.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e5196068852479a696609aac3dd576ac55654b824350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 4.227.102.93 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul and all, In the real world, I/we fix what is broken to the best of our ability, however limited or not that may be, and do not necessarily adhere to ISC's advice or recommendations in doing so. Nor do I/we consider same as far as the IETF is concerned as in doing so would mean that many broken DNS problems remain broken far too long and at far too much exposure to the user unnecessarily, and in my view, irresponsibly as well as on occasion dangerously. A few times in my recollection the ISC has been too far behind the curve leaving users too exposed too long and far too dangerously I can't definitively say as to why... Paul Vixie wrote: > > Date: Mon, 18 May 2009 11:40:23 +0300 > > From: "Aki Tuomi" > > ... > > I have a bad feeling that the correct answer (although they won't admit > > it) is that ISC is the one who decides. After all, their proponents seem > > to get the "final say" on how things are done. > > frequent simultaneity does not necessarily require causality. ISC has > hired the best people we could get, and we will continue to do so. (CVs to > me plz) those people, due to their long experience, tend to have a lot to > say which is often intelligent and rational. if you see ISC people winning > arguments or leading consensus, that may be because of our selection > criteria for employees, and not because of ISC's brand strength or BIND's > market size. > > once in a while we do stuff that's controversial and we do it outside IETF. > for example, delegation only, and DNSSEC lookaside validation (DLV). these > features are never enabled by default in our code base since they are not > part of the IETF DNS standard, to which we adhere strongly. note that some > of the stuff IETF has come up with (DNSSEC, EDNS) has also been controversial > in the eyes of our user/customer base, but we default it to "on" when we can > do it without breaking existing configurations. > > where we encounter problems in the field like open recursion, we try to work > with the IETF DNSEXT WG to get a draft RFC written, specifically so that we > can change the default BIND configuration. (for open recursion, we wanted to > default to allowing queries only from the locally attached networks, and the > result was RFC 5358, and the BIND version that changed this default did in > fact break some working configurations, but it was absolutely unavoidable.) > > a few years back when i saw this WG as moribund i tried to start a separate > entity called DNS-MODA that would push for new DNS technology and standards, > and for a while we (ISC, WIDE, Autonomica) thought we might get that going. > in the end we found a lack of institutional interest (that is, sponsorship > and active participation) in anything more ambitious than this working group, > so we shut DNS-MODA down. i'm still interested in something like that, btw. > > so to the extent possible, ISC works within the IETF standards process, and > we are bound by tradition to implement whatever DNS standards come from this > working group. and we have some of the best DNS technologists in the field, > which is the reason you so often see ISC people getting consensus on stuff. > (getting consensus inside ISC is often a much rougher process than the > debates and discussions you can see on namedroppers@, btw.) > > note that this nonadmission of decisionmaking powers by ISC also contains an > alternative explaination for the appearance thereof. > > paul vixie > president > isc > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: Regards, Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "YES WE CAN!" Barack ( Berry ) Obama "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 15:03:44 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2E1B28C265; Mon, 18 May 2009 15:03:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.127 X-Spam-Level: X-Spam-Status: No, score=0.127 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64ZGxmUbcRpu; Mon, 18 May 2009 15:03:43 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A09313A6AD8; Mon, 18 May 2009 15:03:43 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ArT-000DE3-R2 for namedroppers-data0@psg.com; Mon, 18 May 2009 21:59:07 +0000 Received: from [209.85.217.207] (helo=mail-gx0-f207.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ArG-000DCG-SB for namedroppers@ops.ietf.org; Mon, 18 May 2009 21:59:01 +0000 Received: by gxk3 with SMTP id 3so7325843gxk.17 for ; Mon, 18 May 2009 14:58:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.88.16 with SMTP id l16mr6261530agb.91.1242683931619; Mon, 18 May 2009 14:58:51 -0700 (PDT) Date: Mon, 18 May 2009 14:58:51 -0700 Message-ID: Subject: [dnsext] Re: DNSCurve From: Matthew Dempsky To: Stephane Bortzmeyer Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 9:51 AM, Matthew Dempsky wrot= e: > On Mon, May 18, 2009 at 1:10 AM, Stephane Bortzmeyer = wrote: >> Integrity despite =A0 =A0 =A0 =A0 Protects against =A0 =A0 =A0 =A0 Does = not protect against >> rogue secondary name =A0 =A0 =A0it =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 it >> servers of resolvers > > Somewhat agree. =A0I don't have much more time to reply to emails right > now, so I'll just offer an IOU to expand upon this later. For now, I'll go ahead and change my response to "Agree," but I'd like to point out at least one thing on this topic. Right now there are 13 root servers and 8 .fr servers. However, there are about another 120 name servers that could poison the entire .fr domain if they were "rogue". E.g., ns.via.net is a name server for zocalo.net, ns.zocalo.net is a name server for ucsc.edu, ns1.ucsc.edu is a name server for princeton.edu, dns.princeton.edu is a name server for inria.fr, dns.inria.fr is a name server for nic.fr, and all of the .fr name servers are within nic.fr. I don't mean to imply any malice on the part of ViaNet (I picked them as a somewhat arbitrary example among the 120 possible candidates), but as it is, their name servers could poison any public DNS cache with bogus .fr data without much difficulty. This is a risk that every domain in .fr faces today, and one that can be fixed by purely administrative means (e.g., see how .se, .jp, and .biz are setup). Deploying DNSSEC everywhere could fix this too, but why wait? If not protecting against rogue secondary name servers is considered a mark against DNSCurve, shouldn't more TLDs be organized to avoid these kinds of frivolous third party dependencies? -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Mon May 18 22:23:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DF1A63A709B; Mon, 18 May 2009 22:23:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRZm87I1fOxZ; Mon, 18 May 2009 22:23:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 74AE43A68D5; Mon, 18 May 2009 22:23:14 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Hgm-000Lgq-9N for namedroppers-data0@psg.com; Tue, 19 May 2009 05:16:32 +0000 Received: from [75.102.55.14] (helo=m1.sjc1.everydns.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Hga-000Lg3-DC for namedroppers@ops.ietf.org; Tue, 19 May 2009 05:16:25 +0000 Received: from mail.perfectemail.net ([71.6.170.56] helo=ellie.everybox.com) by m1.sjc1.everydns.com with esmtp (Exim 4.63) (envelope-from ) id 1M6HgU-0002Cs-HO for namedroppers@ops.ietf.org; Tue, 19 May 2009 05:16:16 +0000 Received: (qmail 5445 invoked by uid 112); 19 May 2009 05:16:14 -0000 Received: from 67.215.69.5 by ellie.everybox.com (envelope-from , uid 105) with qmail-scanner-2.05 (spamassassin: 3.2.5. Clear:RC:1(67.215.69.5):. Processed in 0.012159 secs); 19 May 2009 05:16:14 -0000 Received: from unknown (HELO Davids-MacBook-Pro.local) (67.215.69.5) by ellie.everybox.com with SMTP; 19 May 2009 05:16:14 -0000 Message-ID: <4A12409D.1070104@everydns.net> Date: Mon, 18 May 2009 22:16:13 -0700 From: David Ulevitch User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090509 Shredder/3.0b3pre MIME-Version: 1.0 To: Andrew Sullivan CC: Stephane Bortzmeyer , namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Subject: Re: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <20090518134906.GE4057@shinkuro.com> In-Reply-To: <20090518134906.GE4057@shinkuro.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 5/18/09 6:49 AM, Andrew Sullivan wrote: > The simple fact is that and EDNS0 Option Code requires publication of > an RFC. That's not true. As Bert pointed out, 4 & 5 are in use today. The fact that IANA has no reasonable way to register them is not a problem with using EDNS0 Option Code's -- it's a problem with how IANA chooses to encumber registration of EDNS0 Option Code's for implementers and operators. Really, the IANA ought to just mark EDNS0 Option Code 4 and 5 as registered for their respective uses and create a sane policy for future registrations. IANA makes registering other, far more scarce, resources much easier and EDNS0 Option Code's should be no different. At the end of the day, making the the process easy fosters innovation and development in a way that promotes interoperability and stability. -David -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 01:06:30 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C8DE28C274; Tue, 19 May 2009 01:06:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.922 X-Spam-Level: X-Spam-Status: No, score=0.922 tagged_above=-999 required=5 tests=[AWL=-0.128, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QpeKnzRN9iAp; Tue, 19 May 2009 01:06:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BE9E028C302; Tue, 19 May 2009 01:06:28 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6KEL-000ARO-Pc for namedroppers-data0@psg.com; Tue, 19 May 2009 07:59:21 +0000 Received: from [193.227.124.2] (helo=mx01.bfk.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6KE9-000AQg-FS for namedroppers@ops.ietf.org; Tue, 19 May 2009 07:59:15 +0000 Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1M6KE8-0005q5-DN; Tue, 19 May 2009 09:59:08 +0200 Received: from fweimer by bfk.de with local id 1M6KDq-0000vW-Ux; Tue, 19 May 2009 09:58:51 +0200 To: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= /DNSEXT chair Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Increasing hash collision resilience References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <200905181642.n4IGg5tw027927@stora.ogud.com> From: Florian Weimer Date: Tue, 19 May 2009 09:58:50 +0200 In-Reply-To: <200905181642.n4IGg5tw027927@stora.ogud.com> (=?iso-8859-1?Q?=D3lafur_Gu=F0mundsson's?= message of "Mon, 18 May 2009 12:41:36 -0400") Message-ID: <823ab1ed6t.fsf@mid.bfk.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * =D3lafur Gu=F0mundsson: > The concerns that SHA-1 would become vulnerable before new generation of > hash algorithms become available was the reason for the WG to rush RFC4509 > through. http://www.ietf.org/rfc/rfc4509.txt > > The message to everyone should be. > - Only list DS with digest algorithm =3D2 > - or list both digest algorithm 1 and 2 > > The problem is that some DS records in many cases will be submitted > by children and the children need to be educated to use digest 2. The value of the Digest Type does not matter. (If the zone signer demands proof for the DS records in the form of DNSKEYs, it's unlikely that we'll see an attack during the next couple of years, neither for SHA-1 or SHA-256.) To address the issue with unchecked DS records submitted by untrusted parties, you need to switch to a different hashing algorithm in RRSIG signatures. draft-ietf-dnsext-dnssec-rsasha256-13 still hasn't been published as an RFC. And general availability is two to three years away. > Is it time to change the status of SHA-1 in the registry from "MANDATORY" > to "Not recommended" or "Obsolete"? > http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml This action would have to target the DNSSEC Algorithm Types registry, but such a step seems rather premature at this stage. Incorporating it into draft-ietf-dnsext-dnssec-rsasha256-13 is probably not a good idea because it would delay its publication even further. --=20 Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra=DFe 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 05:30:31 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 135213A6D1B; Tue, 19 May 2009 05:30:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.021 X-Spam-Level: X-Spam-Status: No, score=-1.021 tagged_above=-999 required=5 tests=[AWL=-0.826, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJU-5R0xYHKv; Tue, 19 May 2009 05:30:30 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 10D313A6D13; Tue, 19 May 2009 05:30:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ONu-000B5R-Qa for namedroppers-data0@psg.com; Tue, 19 May 2009 12:25:30 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ONe-000B3k-Vp for namedroppers@ops.ietf.org; Tue, 19 May 2009 12:25:24 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4JCP8S3040806; Tue, 19 May 2009 08:25:09 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905191225.n4JCP8S3040806@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 19 May 2009 08:23:37 -0400 To: Florian Weimer , =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair From: Olafur Gudmundsson Subject: Re: [dnsext] Increasing hash collision resilience Cc: namedroppers@ops.ietf.org In-Reply-To: <823ab1ed6t.fsf@mid.bfk.de> References: <82eiumzw0c.fsf@mid.bfk.de> <82eiumh8md.fsf@mid.bfk.de> <200905181642.n4IGg5tw027927@stora.ogud.com> <823ab1ed6t.fsf@mid.bfk.de> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 03:58 19/05/2009, Florian Weimer wrote: >* =D3lafur Gu=F0mundsson: > > > The concerns that SHA-1 would become vulnerable before new generation of > > hash algorithms become available was the reason for the WG to rush= RFC4509 > > through. http://www.ietf.org/rfc/rfc4509.txt > > > > The message to everyone should be. > > - Only list DS with digest algorithm =3D2 > > - or list both digest algorithm 1 and 2 > > > > The problem is that some DS records in many cases will be submitted > > by children and the children need to be educated to use digest 2. > >The value of the Digest Type does not matter. (If the zone signer >demands proof for the DS records in the form of DNSKEYs, it's unlikely >that we'll see an attack during the next couple of years, neither for >SHA-1 or SHA-256.) How is this a practical attack? The attacker has only part of the input to the signature under his/her control. Parent signs the DS record and selects timer values[1] of the RRSIG. Signature Interception, Signature Expire, TTL. Once a target DS signature is generated the attacker has only the "effective" life signature to play with, trying to create a collision signature. If parent is using predictable timing values the attacker still has to submit the "attack DS set" during a one second window to have a good chance to get the right signature values. >To address the issue with unchecked DS records submitted by untrusted >parties, you need to switch to a different hashing algorithm in RRSIG >signatures. draft-ietf-dnsext-dnssec-rsasha256-13 still hasn't been >published as an RFC. And general availability is two to three years >away. > > > Is it time to change the status of SHA-1 in the registry from= "MANDATORY" > > to "Not recommended" or "Obsolete"? > > http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml > >This action would have to target the DNSSEC Algorithm Types registry, >but such a step seems rather premature at this stage. Incorporating >it into draft-ietf-dnsext-dnssec-rsasha256-13 is probably not a good >idea because it would delay its publication even further. The attack you are describing is available against all RR types (DS is just most attractive one). Thus if a fix is needed that should protect all types not just one. A better solution is to recommend that when signing records the timer values be randomly picked from a range for example: sig init [curr time-256..curr_time] sig expire [lifetime-3600..curr_time+3600] TTL [standard_TTL-1024..standard_TTL+1024] This has no protocol implications. Olafur -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 08:09:58 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FAB83A6EB8; Tue, 19 May 2009 08:09:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.816 X-Spam-Level: X-Spam-Status: No, score=-105.816 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flWj3JSYdGF2; Tue, 19 May 2009 08:09:57 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A3BE73A6C72; Tue, 19 May 2009 08:09:57 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Qsz-0004DB-TM for namedroppers-data0@psg.com; Tue, 19 May 2009 15:05:45 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Qsl-0004AL-Hd for namedroppers@ops.ietf.org; Tue, 19 May 2009 15:05:37 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 6400A1C007E; Tue, 19 May 2009 17:05:30 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 5F7E21C002D; Tue, 19 May 2009 17:05:30 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 5D7167B003B; Tue, 19 May 2009 17:05:30 +0200 (CEST) Date: Tue, 19 May 2009 17:05:30 +0200 From: Stephane Bortzmeyer To: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= /DNSEXT chair Cc: namedroppers@ops.ietf.org Subject: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Message-ID: <20090519150530.GA27304@nic.fr> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <200905181505.n4IF5aMq026853@stora.ogud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200905181505.n4IF5aMq026853@stora.ogud.com> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 10:56:53AM -0400, Ólafur Guðmundsson /DNSEXT chair wrote a message of 62 lines which said: > RFC2671 says "Published RFC" as allocation mechanism for EDNS0 > options (see last paragraph in section 7). Yes, not "Standards Track RFC". The IANA registry says "Specification Required" and this is the only error I find, it should be "RFC Required" (the list of possible policies is in RFC 5226, section 4.1). > Any individual RFC will be send to DNSEXT for comment by the IESG, thus > no end run is possible. For comment, yes, it is reasonable, but it does not mean the comments are binding. > I'm hoping that the WG will turn its attention to work on > RFC2671-bis and in that context figure out what the right rule is > and specify it. Why not, but in the mean time, the rules are set by RFC 2671 and it is not up to the WG or its chairs or IANA to override them. The situation is clear: any published RFC is sufficient to get an EDNS option code. May be it will be different in the future, if a 2671bis is published but, today, 2671 is the rule. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 08:13:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E4B023A6BC3; Tue, 19 May 2009 08:13:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.969 X-Spam-Level: X-Spam-Status: No, score=-105.969 tagged_above=-999 required=5 tests=[AWL=0.280, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yi4oic8XZRlZ; Tue, 19 May 2009 08:13:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F40AB3A6959; Tue, 19 May 2009 08:13:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Qyi-0004nl-5x for namedroppers-data0@psg.com; Tue, 19 May 2009 15:11:40 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6QyT-0004mR-Vr for namedroppers@ops.ietf.org; Tue, 19 May 2009 15:11:32 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 4C8F21C00E4; Tue, 19 May 2009 17:11:25 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 473591C002D; Tue, 19 May 2009 17:11:25 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 44F227B003B; Tue, 19 May 2009 17:11:25 +0200 (CEST) Date: Tue, 19 May 2009 17:11:25 +0200 From: Stephane Bortzmeyer To: David Ulevitch Cc: namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Subject: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Message-ID: <20090519151125.GB27304@nic.fr> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <20090518134906.GE4057@shinkuro.com> <4A12409D.1070104@everydns.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A12409D.1070104@everydns.net> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 10:16:13PM -0700, David Ulevitch wrote a message of 20 lines which said: > it's a problem with how IANA chooses to encumber registration of > EDNS0 Option Code's for implementers and operators. It's not IANA. The rules of *any* IANA registry are not set by IANA but, for most of them, by the IETF, through RFC "IANA considerations" section (see RFC 5226). So, the rules allow registration of an EDNS option code, providing a RFC is published (it can be an Experimental one). > Really, the IANA ought to just mark EDNS0 Option Code 4 and 5 as > registered They cannot, until a RFC is published (that's what RFC 2671 says, in its "IANA considerations" section). > IANA makes registering other, far more scarce, resources much easier > and EDNS0 Option Code's should be no different. At the end of the > day, making the the process easy fosters innovation and development > in a way that promotes interoperability and stability. It's true that attempts to discourage registration of EDNS code points are a problem and a risk for the quality of the registry (if people start to pick EDNS option codes at random and just use it), but, as I said, it is not IANA's fault. My suggestion would be to publish EDNS-ping as Experimental or Informational and then IANA could not refuse an official option code. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 08:19:05 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C62253A6B3D; Tue, 19 May 2009 08:19:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.974 X-Spam-Level: X-Spam-Status: No, score=-105.974 tagged_above=-999 required=5 tests=[AWL=0.275, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHTtig2ivBNW; Tue, 19 May 2009 08:19:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 87D223A6BC3; Tue, 19 May 2009 08:18:57 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6R3g-0005SR-Ak for namedroppers-data0@psg.com; Tue, 19 May 2009 15:16:48 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6R3S-0005Pg-A2 for namedroppers@ops.ietf.org; Tue, 19 May 2009 15:16:40 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 8DD071C00E4; Tue, 19 May 2009 17:16:33 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 896EE1C0022; Tue, 19 May 2009 17:16:33 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 7DAAA7B003B; Tue, 19 May 2009 17:16:33 +0200 (CEST) Date: Tue, 19 May 2009 17:16:33 +0200 From: Stephane Bortzmeyer To: Matthew Dempsky Cc: namedroppers@ops.ietf.org Subject: [dnsext] Configuration of domains, secondaries in the domain or not? (Was: DNSCurve Message-ID: <20090519151633.GC27304@nic.fr> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Mon, May 18, 2009 at 02:58:51PM -0700, Matthew Dempsky wrote a message of 30 lines which said: > shouldn't more TLDs be organized to avoid these kinds of frivolous > third party dependencies? We are drifting far away from DNScurve but do note it is NOT "frivolous third party dependencies" but a deliberate design decision. There have been MANY debates in the TLD community between the single-engined (all the name servers in one domain, and no dependency) and the multi-engined approach and there is no consensus yet (check .DE or .ORG). -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 09:04:11 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C2193A6FA2; Tue, 19 May 2009 09:04:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.384 X-Spam-Level: X-Spam-Status: No, score=-2.384 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBYItZwqe-EJ; Tue, 19 May 2009 09:04:10 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BC52B3A6F55; Tue, 19 May 2009 09:04:10 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Rkq-000B01-M1 for namedroppers-data0@psg.com; Tue, 19 May 2009 16:01:24 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Rkc-000Ayd-GG for namedroppers@ops.ietf.org; Tue, 19 May 2009 16:01:17 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 00F3BA279A; Tue, 19 May 2009 16:01:10 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Stephane Bortzmeyer cc: David Ulevitch , namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Subject: Re: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING In-Reply-To: Your message of "Tue, 19 May 2009 17:11:25 +0200." <20090519151125.GB27304@nic.fr> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <20090518134906.GE4057@shinkuro.com> <4A12409D.1070104@everydns.net> <20090519151125.GB27304@nic.fr> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Tue, 19 May 2009 16:01:09 +0000 Message-ID: <75669.1242748869@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Tue, 19 May 2009 17:11:25 +0200 > From: Stephane Bortzmeyer > ... > > Really, the IANA ought to just mark EDNS0 Option Code 4 and 5 as > > registered > > They cannot, until a RFC is published (that's what RFC 2671 says, in > its "IANA considerations" section). note that the iana considerations section of rfc 2671 came to the ID author from the WG chairs as "the common wisdom of that moment". it was not intended to be prescriptive in the sense that doing it some other way would cause the protocol itself to malfunction. if there's a reason to do it some other way then we should make a change. > It's true that attempts to discourage registration of EDNS code points > are a problem and a risk for the quality of the registry (if people start > to pick EDNS option codes at random and just use it), but, as I said, it > is not IANA's fault. My suggestion would be to publish EDNS-ping as > Experimental or Informational and then IANA could not refuse an official > option code. that seems to be an easy way forward. (SRV is still "experimental", FWIW.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 09:08:45 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 61E183A701E; Tue, 19 May 2009 09:08:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXawXrmsDMdl; Tue, 19 May 2009 09:08:44 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7F5E63A6F95; Tue, 19 May 2009 09:08:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Rpz-000BdP-VR for namedroppers-data0@psg.com; Tue, 19 May 2009 16:06:43 +0000 Received: from [75.102.55.14] (helo=m1.sjc1.everydns.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Rpl-000Bau-Vt for namedroppers@ops.ietf.org; Tue, 19 May 2009 16:06:36 +0000 Received: from mail.perfectemail.net ([71.6.170.56] helo=ellie.everybox.com) by m1.sjc1.everydns.com with esmtp (Exim 4.63) (envelope-from ) id 1M6Rpj-0003Ub-IR for namedroppers@ops.ietf.org; Tue, 19 May 2009 16:06:27 +0000 Received: (qmail 30068 invoked by uid 112); 19 May 2009 16:06:27 -0000 Received: from 67-215-69-5.ip.opendns.com by ellie.everybox.com (envelope-from , uid 105) with qmail-scanner-2.05 (spamassassin: 3.2.5. Clear:RC:1(67.215.69.5):. Processed in 0.011955 secs); 19 May 2009 16:06:27 -0000 Received: from 67-215-69-5.ip.opendns.com (HELO Davids-MacBook-Pro.local) (67.215.69.5) by ellie.everybox.com with SMTP; 19 May 2009 16:06:27 -0000 Message-ID: <4A12D8FF.3000700@everydns.net> Date: Tue, 19 May 2009 09:06:23 -0700 From: David Ulevitch User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090509 Shredder/3.0b3pre MIME-Version: 1.0 To: Paul Vixie CC: Stephane Bortzmeyer , namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Subject: Re: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <20090518134906.GE4057@shinkuro.com> <4A12409D.1070104@everydns.net> <20090519151125.GB27304@nic.fr> <75669.1242748869@nsa.vix.com> In-Reply-To: <75669.1242748869@nsa.vix.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 5/19/09 9:01 AM, Paul Vixie wrote: >> Date: Tue, 19 May 2009 17:11:25 +0200 >> From: Stephane Bortzmeyer > > note that the iana considerations section of rfc 2671 came to the ID author > from the WG chairs as "the common wisdom of that moment". it was not > intended to be prescriptive in the sense that doing it some other way would > cause the protocol itself to malfunction. if there's a reason to do it > some other way then we should make a change. > >> It's true that attempts to discourage registration of EDNS code points >> are a problem and a risk for the quality of the registry (if people start >> to pick EDNS option codes at random and just use it), but, as I said, it >> is not IANA's fault. My suggestion would be to publish EDNS-ping as >> Experimental or Informational and then IANA could not refuse an official >> option code. > > that seems to be an easy way forward. (SRV is still "experimental", FWIW.) Yep, that's a good plan forward. Thanks, David -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 09:20:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CA7D3A6E46; Tue, 19 May 2009 09:20:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.437 X-Spam-Level: X-Spam-Status: No, score=-4.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbrut-aY0COw; Tue, 19 May 2009 09:20:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9BD703A6E1D; Tue, 19 May 2009 09:20:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6S0s-000CxM-Rn for namedroppers-data0@psg.com; Tue, 19 May 2009 16:17:58 +0000 Received: from [64.78.22.237] (helo=EXPFE100-2.exc.icann.org) by psg.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6S0g-000CwP-TU for namedroppers@ops.ietf.org; Tue, 19 May 2009 16:17:52 +0000 Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.233]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 19 May 2009 09:17:46 -0700 From: Kim Davies To: David Ulevitch CC: "namedroppers@ops.ietf.org" Date: Tue, 19 May 2009 09:17:44 -0700 Subject: Re: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Thread-Topic: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Thread-Index: AcnYRAnLcDM1FIpiSqyP5jAADWar/wAWU1UW Message-ID: In-Reply-To: <4A12409D.1070104@everydns.net> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 5/18/09 10:16 PM, "David Ulevitch" wrote: > > IANA makes registering other, far more scarce, resources much easier and > EDNS0 Option Code's should be no different. At the end of the day, > making the the process easy fosters innovation and development in a way > that promotes interoperability and stability. To re-iterate the take away from Stephane's analysis < IANA does not decide the registration policies of protocol registries. We do what we are advised by the IETF standards process. With regards to maintaining IETF protocol registries, IANA has very little latitude in how it interprets registry maintenance requirements. Whenever there is any doubt, the IESG < or its appointed subject matter experts < make the decisions. With kindest regards, Kim Davies Internet Assigned Numbers Authority -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 10:46:40 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8A013A6857; Tue, 19 May 2009 10:46:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.57 X-Spam-Level: X-Spam-Status: No, score=-2.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mNFcaoZNJdEu; Tue, 19 May 2009 10:46:40 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D0E633A67B1; Tue, 19 May 2009 10:46:39 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6TK0-000M7F-RX for namedroppers-data0@psg.com; Tue, 19 May 2009 17:41:48 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6TJk-000M5M-D9 for namedroppers@ops.ietf.org; Tue, 19 May 2009 17:41:39 +0000 Received: from [10.20.30.158] (sn87.proper.com [75.101.18.87]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4JHfS8R001882 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 May 2009 10:41:29 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> Date: Tue, 19 May 2009 10:40:20 -0700 To: bert hubert From: Paul Hoffman Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Hopefully, you are still following the discussion. At 12:02 AM +0200 5/16/09, bert hubert wrote: >I have also been pointedly informed [3] that EDNS-PING, which requires an >EDNS option code, can't succeed as an individual draft either since only the >DNSEXT WG can authorize the issue of such an EDNS option code from IANA. As it turns out, that statement is correct but insufficient. As has been pointed out, all that is needed for an EDNS option code is an RFC. You can submit an RFC as an *independent submission* directly to the RFC Editor. Such submissions do not come to the WG unless the Area Directors consider the document an "end run" against WG work. Clearly, the WG is not doing work on EDNS pings, so I doubt that would be the case here. The result of independent submission (as compared to WG or individual submission) is always either and Experimental or Informational RFC, never a standards track RFC. Again, that is fine for getting an EDNS option, and the practical difference between the two is illusory at best. Given that there is already deployment of the protocol, please consider revising your draft to clarify the areas that have been exposed so far, and then consider sending it to the RFC Editor as an independent submission as an Experimental RFC. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 11:32:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FA273A6FD7; Tue, 19 May 2009 11:32:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.469 X-Spam-Level: X-Spam-Status: No, score=-0.469 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBny+NUG9rvc; Tue, 19 May 2009 11:32:27 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id ED1973A6927; Tue, 19 May 2009 11:32:26 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6U59-0003dG-Bb for namedroppers-data0@psg.com; Tue, 19 May 2009 18:30:31 +0000 Received: from [209.85.219.173] (helo=mail-ew0-f173.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6U4w-0003bQ-OM for namedroppers@ops.ietf.org; Tue, 19 May 2009 18:30:24 +0000 Received: by ewy21 with SMTP id 21so852929ewy.41 for ; Tue, 19 May 2009 11:30:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=/dk1oVvQ2Wa5+phGh/6oebtqI/tubtB8c0TSky1xk5g=; b=C0OCIPJDN88I2JKYtCKFWKMvfngFkMkVI1qcxtGPoO0ohLqQlN3JQQuww9AV8kzZF/ aGveoklWf6tZRZVE9F7YvjrX8mLtU3Xc82kBb/4smZlKnyWsyIC0KzboHc7QOW0lMDv6 cj2cky4nn6/KAAeQAftrAfeOVsmVyCDc17apg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=LCl7+wj6l+09+cQsTuCCbHg5Jol8CTfdubdBd/4U+WscuTvpQOuYKoRYzKz+uvjO6T aGlxGfLn1cXEf8hRMZQgj8sTn4xXxRclhA/RY35/6K7hIs4UBrKXP0kf+yrgTwfUIJSr mZsYKGkqdpt0jd8Bw89OGdd3w7jkhQGtBH3z8= MIME-Version: 1.0 Received: by 10.210.18.8 with SMTP id 8mr498980ebr.15.1242757816258; Tue, 19 May 2009 11:30:16 -0700 (PDT) In-Reply-To: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> From: bert hubert Date: Tue, 19 May 2009 20:29:56 +0200 Message-ID: <3efd34cc0905191129x2fdbbd10v7a1d97c6c9ea5903@mail.gmail.com> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY To: George Barwood Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 8:10 PM, George Barwood wrote: > RFC 3255 says : > > "Security records that match an explicit SIG, KEY, NXT, or ANY query, or are part of the > zone data for an AXFR or IXFR query, are included whether or not the DO bit was set." > > AXFR and IXFR are a local matter, so I'm not worried about that. > > But for an ANY query, isn't there a significant risk of breaking ancient mail servers that use ANY ? Sending ANY queries to a resolver is a 'bag of hurt' already, and can't possibly work. So I don't think this will matter. Resolvers only send out what is currently in their cache, which can be a completely mixed bag of records. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 11:55:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D3F23A70C0; Tue, 19 May 2009 11:55:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.277 X-Spam-Level: * X-Spam-Status: No, score=1.277 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, MANGLED_SEX=2.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNqE8Nx8w-YN; Tue, 19 May 2009 11:55:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9FF3B3A6C16; Tue, 19 May 2009 11:55:06 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6UQN-0005yh-9Q for namedroppers-data0@psg.com; Tue, 19 May 2009 18:52:27 +0000 Received: from [209.85.217.207] (helo=mail-gx0-f207.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6UQ4-0005x9-FJ for namedroppers@ops.ietf.org; Tue, 19 May 2009 18:52:15 +0000 Received: by gxk3 with SMTP id 3so8536212gxk.17 for ; Tue, 19 May 2009 11:52:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.84.2 with SMTP id h2mr297118agb.6.1242759125269; Tue, 19 May 2009 11:52:05 -0700 (PDT) In-Reply-To: <20090519151633.GC27304@nic.fr> References: <20090519151633.GC27304@nic.fr> Date: Tue, 19 May 2009 11:52:05 -0700 Message-ID: Subject: [dnsext] Re: Configuration of domains, secondaries in the domain or not? (Was: DNSCurve From: Matthew Dempsky To: Stephane Bortzmeyer Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 8:16 AM, Stephane Bortzmeyer wrote: > We are drifting far away from DNScurve Yes, but I think the point you were arguing against DNSCurve was hypocritical. > but do note it is NOT > "frivolous third party dependencies" but a deliberate design > decision. I'll gladly admit to not having any experience running a TLD. Would you mind elaborating on the design decisions that led the .fr administrators to make itself dependent on these "not frivolous" third parties then? E.g., why was the current configuration chosen in preference to one like .se: fr. NS a.ns.fr. fr. NS b.ns.fr. fr. NS c.ns.fr. fr. NS d.ns.fr. fr. NS e.ns.fr. fr. NS f.ns.fr. fr. NS g.ns.fr fr. NS h.ns.fr. a.ns.fr. A 192.93.0.129 a.ns.fr. AAAA 2001:660:3005:3::1:1 b.ns.fr. A 192.228.90.21 c.ns.fr. A 192.134.0.129 c.ns.fr. AAAA 2001:660:3006:4::1:1 d.ns.fr. A 204.152.184.85 d.ns.fr. AAAA 2001:4f8:0:2::8 e.ns.fr. A 193.176.144.6 f.ns.fr. A 194.57.253.1 g.ns.fr. A 194.146.106.46 h.ns.fr. A 204.61.216.39 h.ns.fr. AAAA 2001:500:14:6039:ad::1 There's no need to make ns.fr a separate zone; just serve these records directly from the .fr zone. There's currently no ns.fr zone, so you could even transition to this today and leave nic.fr untouched. The equivalent *.nic.fr records are already present in both the .fr zone and the root zone, so there's no additional work to maintain the new records' correctness. What detail am I missing about why you decided to place the .fr name servers within a zone under the control of untrusted third parties? > There have been MANY debates in the TLD community between > the single-engined (all the name servers in one domain, and no > dependency) and the multi-engined approach and there is no consensus > yet (check .DE or .ORG). Here are the list of name server names that these two TLDs are transitively dependent upon: de: a.gtld-servers.net, a.nic.de, a2.nstld.com, b.gtld-servers.net, c.de.net, c.gtld-servers.net, c2.nstld.com, d.gtld-servers.net, d2.nstld.com, e.gtld-servers.net, e2.nstld.com, f.gtld-servers.net, f.nic.de, f2.nstld.com, g.gtld-servers.net, g2.nstld.com, h.gtld-servers.net, h2.nstld.com, i.gtld-servers.net, j.gtld-servers.net, k.gtld-servers.net, l.de.net, l.gtld-servers.net, l2.nstld.com, m.gtld-servers.net, ns1.denic.de, ns2.denic.de, ns3.denic.de, ns4.denic.net, ns5.denic.net, s.de.net, z.nic.de org: a0.info.afilias-nst.info, a0.org.afilias-nst.info, a2.info.afilias-nst.info, a2.org.afilias-nst.info, b0.info.afilias-nst.org, b0.org.afilias-nst.org, b2.info.afilias-nst.org, b2.org.afilias-nst.org, c0.info.afilias-nst.info, c0.org.afilias-nst.info, d0.info.afilias-nst.org, d0.org.afilias-nst.org, ns1.ams1.afilias-nst.info, ns1.hkg1.afilias-nst.info, ns1.mia1.afilias-nst.info, ns1.sea1.afilias-nst.info, ns1.yyz1.afilias-nst.info Here's the list of names that .fr is transitively dependent upon: fr: a.gtld-servers.net, a.nic.fr, a.ns.kth.se, a.ns.se, a0.info.afilias-nst.info, a0.org.afilias-nst.info, a2.info.afilias-nst.info, a2.nstld.com, a2.org.afilias-nst.info, ams.sns-pb.isc.org, arizona.edu, b.ext.nic.fr, b.gtld-servers.net, b.ns.kth.se, b.ns.se, b0.info.afilias-nst.org, b0.org.afilias-nst.org, b2.info.afilias-nst.org, b2.org.afilias-nst.org, backup-server.nordu.net, benoni.uit.no, biff.uninett.no, c.gtld-servers.net, c.nic.fr, c.ns.se, c0.info.afilias-nst.info, c0.org.afilias-nst.info, c2.nstld.com, cheltenham.cs.arizona.edu, cs.wisc.edu, d.ext.nic.fr, d.gtld-servers.net, d.ns.se, d0.info.afilias-nst.org, d0.org.afilias-nst.org, d2.nstld.com, dikahble.princeton.edu, dns.cs.wisc.edu, dns.inria.fr, dns.itcs.umich.edu, dns.itd.umich.edu, dns.princeton.edu, dns.uu.se, dns1.uslec.net, dns1.uu.se, dns2.cs.wisc.edu, dns2.itcs.umich.edu, dns2.itd.umich.edu, dns2.uslec.net, dns2.uu.se, dns3.uslec.net, dns4.uslec.net, dns5.uslec.net, e.ext.nic.fr, e.gtld-servers.net, e.nic.fr, e.ns.se, e2.nstld.com, f.ext.nic.fr, f.gtld-servers.net, f.ns.se, f2.nstld.com, g.ext.nic.fr, g.gtld-servers.net, g.ns.se, g2.nstld.com, h.gtld-servers.net, h.ns.se, h2.nstld.com, harbor.ecn.purdue.edu, i.gtld-servers.net, i.nic.no, i.ns.se, imag.imag.fr, isis.imag.fr, j.gtld-servers.net, j.ns.se, k.gtld-servers.net, l.gtld-servers.net, l2.nstld.com, lozen.uit.no, m.gtld-servers.net, moe.rice.edu, nac.no, nez-perce.inria.fr, nic.lth.se, nic2.lth.se, njet.norid.no, nn.uninett.no, not.norid.no, ns-ext.isc.org, ns-ext.lga1.isc.org, ns-ext.nrt1.isc.org, ns-ext.sth1.isc.org, ns-pri.ripe.net, ns-remote.arizona.edu, ns-sec.ripe.net, ns.purdue.edu, ns.via.net, ns.zocalo.net, ns0.oleane.net, ns1.ams1.afilias-nst.info, ns1.chalmers.se, ns1.fast.net, ns1.hkg1.afilias-nst.info, ns1.mia1.afilias-nst.info, ns1.nic.fr, ns1.oleane.net, ns1.rice.edu, ns1.sea1.afilias-nst.info, ns1.ucsc.edu, ns1.yyz1.afilias-nst.info, ns2.chalmers.se, ns2.fast.net, ns2.nic.fr, ns2.purdue.edu, ns2.rice.edu, ns2.sunet.se, ns2.ucsc.edu, ns2.via.net, ns2.zocalo.net, ns3.chalmers.se, ns3.nic.fr, ns3.via.net, ns3.zocalo.net, ns4.zocalo.net, optima.cs.arizona.edu, ord.sns-pb.isc.org, pendragon.cs.purdue.edu, server.nordu.net, sfba.sns-pb.isc.org, sns-pb.isc.org, sunic.sunet.se, x.nic.no, y.nic.no, z.nic.no The .de and .org TLDs still have some somewhat silly dependencies, but looking at it from an organizational level instead, .org is only dependent upon Afilias, and .de is only dependent upon Verisign and DENIC. On the other hand, .fr is also dependent upon a bunch of school, private companies, and other organizations. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 12:34:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C96C23A6CC4; Tue, 19 May 2009 12:34:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.961 X-Spam-Level: X-Spam-Status: No, score=-104.961 tagged_above=-999 required=5 tests=[AWL=-0.466, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5+C+fV2R9df; Tue, 19 May 2009 12:34:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 71AF83A70C5; Tue, 19 May 2009 12:34:14 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6V2r-000AFL-PK for namedroppers-data0@psg.com; Tue, 19 May 2009 19:32:13 +0000 Received: from [17.254.13.22] (helo=mail-out3.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6V2e-000AEb-LZ for namedroppers@ops.ietf.org; Tue, 19 May 2009 19:32:07 +0000 Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 229806147EA3; Tue, 19 May 2009 12:32:00 -0700 (PDT) Received: from relay11.apple.com (unknown [127.0.0.1]) by relay11.apple.com (Symantec Brightmail Gateway) with ESMTP id 097A128092; Tue, 19 May 2009 12:32:00 -0700 (PDT) X-AuditID: 11807130-a9780bb000000ebf-aa-4a13092f6daf Received: from [17.206.42.11] (chesh1.apple.com [17.206.42.11]) by relay11.apple.com (Apple SCV relay) with ESMTP id DFC0E28080; Tue, 19 May 2009 12:31:59 -0700 (PDT) In-Reply-To: <3efd34cc0905180121j6f2a44fg412b84739f7364f9@mail.gmail.com> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <3efd34cc0905180121j6f2a44fg412b84739f7364f9@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v753.1) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <37F238B9-ADE3-4360-B446-2953CDA9B0A7@apple.com> Cc: Stephane Bortzmeyer , namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Content-Transfer-Encoding: 7bit From: Stuart Cheshire Subject: Re: [dnsext] Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Date: Tue, 19 May 2009 12:31:27 -0700 To: bert hubert X-Mailer: Apple Mail (2.753.1) X-Brightmail-Tracker: AAAAAA== Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On 18 May, 2009, at 01:21, bert hubert wrote: > I think I recall IANA stating there was some confusion. In general the > point is moot since both EDNS option code 4 and 5 are in actual & > somewhat wide use and I guess no-one would want to use these option > codes anymore since they are 'polluted'. > > Bert I currently have EDNS option code 4 "on hold" with IANA, pending me finding the time to write the Internet Draft describing it. I described in in email last year (Subject "EDNS0 Option Code", Sun, 16 Nov 2008) but IANA wants more than just an email :-) It's been in shipping Apple products for a while; I hope to get the Internet Draft submitted in the next couple of weeks. What is code 5 being used for? Stuart Cheshire * Wizard Without Portfolio, Apple Inc. * Internet Architecture Board * www.stuartcheshire.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 12:45:21 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0388C3A6CAB; Tue, 19 May 2009 12:45:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.979 X-Spam-Level: X-Spam-Status: No, score=-105.979 tagged_above=-999 required=5 tests=[AWL=0.270, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XvEVDcWfDOq; Tue, 19 May 2009 12:45:20 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 21BCD3A6C13; Tue, 19 May 2009 12:45:20 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6VDI-000BaJ-2w for namedroppers-data0@psg.com; Tue, 19 May 2009 19:43:00 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6VCw-000BX0-Hw for namedroppers@ops.ietf.org; Tue, 19 May 2009 19:42:45 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 545E51C0102; Tue, 19 May 2009 21:42:37 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 500CD1C00E4; Tue, 19 May 2009 21:42:37 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 434AE7B003B; Tue, 19 May 2009 21:42:37 +0200 (CEST) Date: Tue, 19 May 2009 21:42:37 +0200 From: Stephane Bortzmeyer To: Stuart Cheshire Cc: bert hubert , Stephane Bortzmeyer , namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" Subject: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Message-ID: <20090519194237.GA30412@nic.fr> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <3efd34cc0905180121j6f2a44fg412b84739f7364f9@mail.gmail.com> <37F238B9-ADE3-4360-B446-2953CDA9B0A7@apple.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <37F238B9-ADE3-4360-B446-2953CDA9B0A7@apple.com> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 12:31:27PM -0700, Stuart Cheshire wrote a message of 23 lines which said: > What is code 5 being used for? #define DNS_OPT_PING 0x0005 /*%< PING opt code */ -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 13:18:25 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3001228C268; Tue, 19 May 2009 13:18:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.1 X-Spam-Level: X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_NL=0.55, HELO_MISMATCH_NL=1.448, RCVD_IN_DNSWL_LOW=-1, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWLm9qV-qq-2; Tue, 19 May 2009 13:18:24 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A531E28C38D; Tue, 19 May 2009 13:16:40 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6VhK-000EnL-TK for namedroppers-data0@psg.com; Tue, 19 May 2009 20:14:02 +0000 Received: from [85.17.178.138] (helo=rotring.dds.nl) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Vh8-000Emo-NO for namedroppers@ops.ietf.org; Tue, 19 May 2009 20:13:56 +0000 Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id 9E2B6272D7D; Tue, 19 May 2009 22:13:49 +0200 (CEST) Received: from [192.168.254.3] (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTP id 63F0A272CDE; Tue, 19 May 2009 22:13:40 +0200 (CEST) Message-ID: <4A1312ED.3040002@nlnetlabs.nl> Date: Tue, 19 May 2009 22:13:33 +0200 From: "W.C.A. Wijngaards" User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: bert hubert CC: George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <3efd34cc0905191129x2fdbbd10v7a1d97c6c9ea5903@mail.gmail.com> In-Reply-To: <3efd34cc0905191129x2fdbbd10v7a1d97c6c9ea5903@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9372/Tue May 19 16:28:03 2009 on rotring X-Virus-Status: Clean Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bert hubert wrote: > On Tue, May 19, 2009 at 8:10 PM, George Barwood >> But for an ANY query, isn't there a significant risk of breaking ancient mail servers that use ANY ? > > Sending ANY queries to a resolver is a 'bag of hurt' already, and > can't possibly work. So I don't think this will matter. > > Resolvers only send out what is currently in their cache, which can be > a completely mixed bag of records. So, I agree with Bert here. With ANY you can get unknown RR types back also without DNSSEC, and good software implements RFC3597 to handle it. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoTEu0ACgkQkDLqNwOhpPhBqQCggzmOpos91R13YX0AqN7mKISf 6XgAoKkmoZYY1lUFu4aQttVCkR1yJWIw =4YCb -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 13:41:12 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9B3B3A6972; Tue, 19 May 2009 13:41:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.574 X-Spam-Level: X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WTiOSmP0HDu; Tue, 19 May 2009 13:41:12 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 55DCB3A684A; Tue, 19 May 2009 13:40:42 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6W53-000GqO-Qv for namedroppers-data0@psg.com; Tue, 19 May 2009 20:38:33 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6W4p-000Gp5-Mh for namedroppers@ops.ietf.org; Tue, 19 May 2009 20:38:26 +0000 Received: from [10.20.30.158] (sn87.proper.com [75.101.18.87]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4JKcDng014995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 May 2009 13:38:17 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <37F238B9-ADE3-4360-B446-2953CDA9B0A7@apple.com> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <20090518075826.GA936@nic.fr> <3efd34cc0905180121j6f2a44fg412b84739f7364f9@mail.gmail.com> <37F238B9-ADE3-4360-B446-2953CDA9B0A7@apple.com> Date: Tue, 19 May 2009 13:38:11 -0700 To: Stuart Cheshire From: Paul Hoffman Subject: Re: [dnsext] Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:31 PM -0700 5/19/09, Stuart Cheshire wrote: >What is code 5 being used for? The same thing that started this thread: draft-hubert-ulevitch-edns-ping-01.txt --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 14:13:48 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E8443A70A2; Tue, 19 May 2009 14:13:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.497 X-Spam-Level: X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[AWL=-1.060, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAaBr6SOPFrh; Tue, 19 May 2009 14:13:47 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 873833A6CAB; Tue, 19 May 2009 14:13:47 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Waj-000KOH-O6 for namedroppers-data0@psg.com; Tue, 19 May 2009 21:11:17 +0000 Received: from [208.69.177.116] (helo=ns1.qubic.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6WaW-000KMx-Gd for namedroppers@ops.ietf.org; Tue, 19 May 2009 21:11:11 +0000 Received: from subman.resistor.net ([10.0.0.1]) (authenticated bits=0) by ns1.qubic.net (8.14.4.Alpha0/8.14.4.Alpha0) with ESMTP id n4JLAqcO021720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 May 2009 14:10:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1242767460; x=1242853860; bh=5gi3fzW2Y2paGgU+si/wOnfAkxIfzE3WEZh8taH2cWg=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=foDhJvAj0BszqRwhqrmo1RKJfRGLxlJE1yqko7aHJ6Qxl1MCiG7hXlZGxxW6B9B/x 9UuD5vJZQzFEaADuiCoryOUoQG5rxJQLZkbq8DENd2oantt/Lj/gLqPTIuN8TAloKg 70+X3pmyPfeKJKSCpxr6FyJFIUpg93nTr9j82PP0= DomainKey-Signature: a=rsa-sha1; s=mail; d=resistor.net; c=simple; q=dns; b=367RDorP+syGj6BWWVWo2v4A8zFThCyHLiGXzQjMUEHmpoUrlWkBx/x9zDIY7Fi3t Yf+CJ8bIBtSgkJgMBs1OPaX93PeNJ9WqToLpDU+DbnBf2dUSL8Aw9lVFBufYdWXkh66 esTI8GvxFBM0MgGAU7neEVRibvYuyGw+6P2gPHM= Message-Id: <6.2.5.6.2.20090519140801.02f9abc8@resistor.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Tue, 19 May 2009 14:10:08 -0700 To: George Barwood From: SM Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Cc: namedroppers@ops.ietf.org In-Reply-To: <30C86D5064CE4570B206FFC923C47DF6@localhost> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <3efd34cc0905191129x2fdbbd10v7a1d97c6c9ea5903@mail.gmail.com> <30C86D5064CE4570B206FFC923C47DF6@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 13:38 19-05-2009, George Barwood wrote: >"Sending ANY queries to a resolver is a 'bag of hurt' already, and >can't possibly work." > >Agreed. But it's the authority case that matters, I think it's >SendMail that uses ANY. It's not sendmail. It's another well-known MTA. >It may fall back to MX on truncation, or it may do something else ( >retry over TCP, fall over, who knows? ). That MTA does not retry over TCP. Regards, -sm -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 14:30:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 32FD03A6FF0; Tue, 19 May 2009 14:30:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.47 X-Spam-Level: X-Spam-Status: No, score=-0.47 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKKdrjXuvESQ; Tue, 19 May 2009 14:30:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 969363A70A0; Tue, 19 May 2009 14:30:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Wqo-000Lb9-Bd for namedroppers-data0@psg.com; Tue, 19 May 2009 21:27:54 +0000 Received: from [209.85.219.173] (helo=mail-ew0-f173.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6WqQ-000LY3-Md for namedroppers@ops.ietf.org; Tue, 19 May 2009 21:27:39 +0000 Received: by ewy21 with SMTP id 21so89186ewy.41 for ; Tue, 19 May 2009 14:27:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=Cg5z3iCQNQI5K+Rb7qCgH45HxaJ7OHIx2LphgReYy/Q=; b=byRwKM6DDtu2m2zhk0R8waQv2niDaGggEZ5L8lo5BwknqW4W6EgW3YXoETikVj1RdI u+unO9B2iPbkCaJIx+lc5taYzAgXoRUBg7fieDoJ7LKUsH7ooIY8WjHMrCFYZP/ZwCge cu1XsW7LBshoBpkvFJgm2jtrvqE14cenvzpyY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=YYUhuSZmU6NOE1tGYR2WKsGhjXyXzq1wkEI2ODdqMF6wS92geZyFDOsAkzqo4okBsg CQKzZRo+Co1Y3t8GlwMktyu+JN/j1mHbUCvNVASTd+RqD7qDcoLgqTRxLXrkNmg30FXP 9ywjm6V+4BU9dBy1M6/3GFTdII6pcyPhkLEvw= MIME-Version: 1.0 Received: by 10.210.12.18 with SMTP id 18mr6508963ebl.52.1242768449081; Tue, 19 May 2009 14:27:29 -0700 (PDT) In-Reply-To: <6.2.5.6.2.20090519140801.02f9abc8@resistor.net> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <3efd34cc0905191129x2fdbbd10v7a1d97c6c9ea5903@mail.gmail.com> <30C86D5064CE4570B206FFC923C47DF6@localhost> <6.2.5.6.2.20090519140801.02f9abc8@resistor.net> From: bert hubert Date: Tue, 19 May 2009 23:27:09 +0200 Message-ID: <3efd34cc0905191427s3bd5eb69k53f3ab7ef7898f96@mail.gmail.com> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY To: SM Cc: George Barwood , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 11:10 PM, SM wrote: >> Agreed. But it's the authority case that matters, I think it's SendMail >> that uses ANY. > > It's not sendmail. It's another well-known MTA. Can we please name names? Exchange? (I understand DNSEXT is not about implementations, but it helps to know if this is a corner case or something that is widely deployed). >> It may fall back to MX on truncation, or it may do something else ( retry >> over TCP, fall over, who knows? ). > > That MTA does not retry over TCP. Exchange has been known to have a love affair with DNS over TCP though.. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 14:37:33 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10ECD3A6C66; Tue, 19 May 2009 14:37:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.215 X-Spam-Level: X-Spam-Status: No, score=0.215 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QT3AJbRWNHXW; Tue, 19 May 2009 14:37:32 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 351B03A6B8A; Tue, 19 May 2009 14:37:32 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Wz1-000MQg-KR for namedroppers-data0@psg.com; Tue, 19 May 2009 21:36:23 +0000 Received: from [209.85.217.159] (helo=mail-gx0-f159.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Wyo-000MOv-Nk for namedroppers@ops.ietf.org; Tue, 19 May 2009 21:36:17 +0000 Received: by gxk3 with SMTP id 3so147886gxk.17 for ; Tue, 19 May 2009 14:36:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.86.10 with SMTP id j10mr414619agb.12.1242768968572; Tue, 19 May 2009 14:36:08 -0700 (PDT) In-Reply-To: <6.2.5.6.2.20090519140801.02f9abc8@resistor.net> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <3efd34cc0905191129x2fdbbd10v7a1d97c6c9ea5903@mail.gmail.com> <30C86D5064CE4570B206FFC923C47DF6@localhost> <6.2.5.6.2.20090519140801.02f9abc8@resistor.net> Date: Tue, 19 May 2009 14:36:08 -0700 Message-ID: Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: Matthew Dempsky To: SM Cc: George Barwood , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 2:10 PM, SM wrote: > It's not sendmail. It's another well-known MTA. I know qmail uses ANY queries, but it uses res_query(3) for handling DNS queries, which at least on Debian 4.0 I have experimentally confirmed that it retries queries over TCP after receiving truncated UDP responses. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 14:39:52 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D0833A6D7F; Tue, 19 May 2009 14:39:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.823 X-Spam-Level: X-Spam-Status: No, score=-1.823 tagged_above=-999 required=5 tests=[AWL=-0.775, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-KcauGCV9KQ; Tue, 19 May 2009 14:39:51 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 676E73A6EC3; Tue, 19 May 2009 14:39:51 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6X1S-000MlL-Fc for namedroppers-data0@psg.com; Tue, 19 May 2009 21:38:54 +0000 Received: from [195.1.209.33] (helo=bizet.nethelp.no) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6X1F-000MjF-By for namedroppers@ops.ietf.org; Tue, 19 May 2009 21:38:48 +0000 Received: (qmail 97358 invoked from network); 19 May 2009 21:38:39 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 19 May 2009 21:38:39 -0000 Date: Tue, 19 May 2009 23:38:39 +0200 (CEST) Message-Id: <20090519.233839.104103096.sthaug@nethelp.no> To: bert.hubert@gmail.com Cc: sm@resistor.net, george.barwood@blueyonder.co.uk, namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: sthaug@nethelp.no In-Reply-To: <3efd34cc0905191427s3bd5eb69k53f3ab7ef7898f96@mail.gmail.com> References: <30C86D5064CE4570B206FFC923C47DF6@localhost> <6.2.5.6.2.20090519140801.02f9abc8@resistor.net> <3efd34cc0905191427s3bd5eb69k53f3ab7ef7898f96@mail.gmail.com> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > >> Agreed. But it's the authority case that matters, I think it's SendMail > >> that uses ANY. > > > > It's not sendmail. It's another well-known MTA. > > Can we please name names? Exchange? qmail. Steinar Haug, Nethelp consulting, sthaug@nethelp.no -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 15:22:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 536773A6E12; Tue, 19 May 2009 15:22:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.518 X-Spam-Level: X-Spam-Status: No, score=-5.518 tagged_above=-999 required=5 tests=[AWL=-1.081, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YuDdzNRm8GkT; Tue, 19 May 2009 15:22:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3EAC03A6B30; Tue, 19 May 2009 15:22:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6XfF-0000dP-KI for namedroppers-data0@psg.com; Tue, 19 May 2009 22:20:01 +0000 Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Xef-0000ZN-A0 for namedroppers@ops.ietf.org; Tue, 19 May 2009 22:19:31 +0000 Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id E79955B2D88; Tue, 19 May 2009 15:19:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at virtualized.org Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQO21vn7CsA5; Tue, 19 May 2009 15:19:22 -0700 (PDT) Received: from wlan39-215.mdr.icann.org (wlan39-215.mdr.icann.org [192.0.39.215]) by virtualized.org (Postfix) with ESMTP id ABD3A5B2D79; Tue, 19 May 2009 15:19:21 -0700 (PDT) From: David Conrad To: George Barwood In-Reply-To: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY X-Priority: 3 References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> Message-Id: <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Tue, 19 May 2009 15:19:08 -0700 Cc: X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 19, 2009, at 11:10 AM, George Barwood wrote: > But for an ANY query, isn't there a significant risk of breaking > ancient mail servers that use ANY ? Do you know of any instances of breakage? > Can anyone re-assure me that this is safe? The Internet is a dangerous place. If software misbehaves when presented with something over the network, it most certainly isn't safe. > It seems more conservative to send DNSSEC records only when the > client has indicated some knowledge of DNSSEC, so that an upgraded > server with a signed zone responds in exactly the same way as > before, unless DNSSEC support in the client is signalled by either > the DO bit or QTYPE. There was discussion of this when 3225 was being written. If I remember correctly (quite unlikely -- it was a long time ago), the consensus was that an application that requested ANY really needed to be able to handle anything that might be returned. Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 17:34:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B6693A6C17; Tue, 19 May 2009 17:34:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.187 X-Spam-Level: X-Spam-Status: No, score=0.187 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C5jcZ35kRZbZ; Tue, 19 May 2009 17:34:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 607463A6C06; Tue, 19 May 2009 17:34:00 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ZhG-000BIm-SO for namedroppers-data0@psg.com; Wed, 20 May 2009 00:30:14 +0000 Received: from [74.125.46.30] (helo=yw-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6Zh2-000BGt-00 for namedroppers@ops.ietf.org; Wed, 20 May 2009 00:30:08 +0000 Received: by yw-out-2324.google.com with SMTP id 3so88179ywj.71 for ; Tue, 19 May 2009 17:29:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.69.15 with SMTP id r15mr515800aga.74.1242779398021; Tue, 19 May 2009 17:29:58 -0700 (PDT) In-Reply-To: References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <3efd34cc0905191129x2fdbbd10v7a1d97c6c9ea5903@mail.gmail.com> <30C86D5064CE4570B206FFC923C47DF6@localhost> <6.2.5.6.2.20090519140801.02f9abc8@resistor.net> Date: Tue, 19 May 2009 17:29:57 -0700 Message-ID: Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: Matthew Dempsky To: SM Cc: George Barwood , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 2:36 PM, Matthew Dempsky wrote: > I know qmail uses ANY queries, but it uses res_query(3) for handling > DNS queries, which at least on Debian 4.0 I have experimentally > confirmed that it retries queries over TCP after receiving truncated > UDP responses. Ah, my test case was somewhat faulty: res_query will repeat its query over TCP, but qmail will still internally truncate the response to 512 bytes, causing a failure if the answers section exceeds this size. (My first test case used dnscache, whose behavior for answering ANY queries largely mitigates this problem; trying again with BIND exposed it.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 17:57:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A6663A6F00; Tue, 19 May 2009 17:57:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.982 X-Spam-Level: X-Spam-Status: No, score=-4.982 tagged_above=-999 required=5 tests=[AWL=-0.896, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_UNSUB30=0.351] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVSh1VPmGaUx; Tue, 19 May 2009 17:57:48 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6CA9C3A6A7A; Tue, 19 May 2009 17:57:48 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6a4X-000DVT-RN for namedroppers-data0@psg.com; Wed, 20 May 2009 00:54:17 +0000 Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6a4K-000DUH-Og for namedroppers@ops.ietf.org; Wed, 20 May 2009 00:54:11 +0000 Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 432525B3817; Tue, 19 May 2009 17:54:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at virtualized.org Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVAR7w0f6Deq; Tue, 19 May 2009 17:54:01 -0700 (PDT) Received: from wlan39-215.mdr.icann.org (wlan39-215.mdr.icann.org [192.0.39.215]) by virtualized.org (Postfix) with ESMTP id 7918D5B3805; Tue, 19 May 2009 17:54:01 -0700 (PDT) From: David Conrad To: George Barwood In-Reply-To: <50585B47089D4A1F89287F17C398F469@localhost> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY X-Priority: 3 References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <50585B47089D4A1F89287F17C398F469@localhost> Message-Id: <98708266-EF69-4ABA-BF04-ABC167A80E36@virtualized.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Tue, 19 May 2009 17:54:00 -0700 Cc: X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: George, On May 19, 2009, at 4:56 PM, George Barwood wrote: >> Do you know of any instances of breakage? > I didn't, but after some searching this link seems to suggest qmail > does break > > http://www.ripe.net/ripe/maillists/archives/dns-wg/2006/msg00013.html > > I think the semantics is cleaner if DO bit stops unrequested DNSSEC > records being sent. Just to be clear, as I am no longer working for a DNS software implementer, I don't have a strong opinion either way. However, to reiterate the arguments made oh so long ago... > The ANY case is ambiguous, but the DO bit can resolve the ambiguity. Well, no. If you ask for ANY, I believe you're actually asking for ANY, which would include DNSSEC related stuff. The fact that DNSSEC stuff is big and that sometimes triggers truncation is not really related to the fact that it is DNSSEC. > If the client wants DNSSEC records, it will be sending an OPT record > anyway, and can set the DO bit. If I do a "dig @server domain ANY, I would assume I want any records in that cache. You are saying I should do "dig +dnssec @server domain ANY" to get any records in the cache. When we add another RR type that has large rdata, should we add another flag both to the DNS protocol and dig so that qmail won't barf? > Regardless, if I'm going to deploy DNSSEC, I need to be sure it > won't stop email being delivered. I understand and agree. > That's the real world. So, in my experience, the real world is rarely that black and white. You are suggesting that in order to deploy DNSSEC, we should revise an RFC and every DNS software implementer needs to update their implementation to support that revision. The alternative is that the one mail server implementer that appears to have trouble with large responses returned by the ANY query fix his mail server so it can handle large response. Either way, new software is going to need to be deployed. Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 18:39:00 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 281BB3A6DE9; Tue, 19 May 2009 18:39:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.519 X-Spam-Level: X-Spam-Status: No, score=-2.519 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TohwYEmBgxEO; Tue, 19 May 2009 18:38:59 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4D92B3A6C28; Tue, 19 May 2009 18:38:59 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6aiI-000GbR-83 for namedroppers-data0@psg.com; Wed, 20 May 2009 01:35:22 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ai1-000GZg-4q for namedroppers@ops.ietf.org; Wed, 20 May 2009 01:35:15 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id C1A04E6056; Wed, 20 May 2009 01:35:03 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4K1Z13j052694; Wed, 20 May 2009 11:35:01 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905200135.n4K1Z13j052694@drugs.dv.isc.org> to: George Barwood , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Tue, 19 May 2009 17:54:00 MST." <98708266-EF69-4ABA-BF04-ABC167A80E36@virtualized.org> Date: Wed, 20 May 2009 11:35:01 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Qmail is broken with or without DNSSEC records based on this thread. ANY queries are a bad idea and should be stomped on with extreme prejudice. ANY can cause the the 64K TCP message size limit to be exceeded when individual queries for the desired records will succeed. ANY queries make the querying application more complex than it otherwise needs to be as it still needs to fallback to individual queries when the desired records are not in the ANY response. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 18:43:00 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BD633A68A7; Tue, 19 May 2009 18:43:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.525 X-Spam-Level: X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ar9ig7+dA262; Tue, 19 May 2009 18:42:59 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 38A673A683E; Tue, 19 May 2009 18:42:59 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6anZ-000Gzr-1V for namedroppers-data0@psg.com; Wed, 20 May 2009 01:40:49 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6anH-000Gxo-6m for namedroppers@ops.ietf.org; Wed, 20 May 2009 01:40:42 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id D0213E601C; Wed, 20 May 2009 01:40:29 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4K1eOeS052800; Wed, 20 May 2009 11:40:24 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905200140.n4K1eOeS052800@drugs.dv.isc.org> To: Paul Vixie Cc: Stephane Bortzmeyer , David Ulevitch , namedroppers@ops.ietf.org, "dnsext-chairs@tools.ietf.org" From: Mark Andrews Subject: Re: [dnsext] Re: Allocation of EDNS0 option codes (Was: dropping request for adoption of EDNS-PING In-reply-to: Your message of "Tue, 19 May 2009 16:01:09 GMT." <75669.1242748869@nsa.vix.com> Date: Wed, 20 May 2009 11:40:24 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <75669.1242748869@nsa.vix.com>, Paul Vixie writes: > > Date: Tue, 19 May 2009 17:11:25 +0200 > > From: Stephane Bortzmeyer > > ... > > > Really, the IANA ought to just mark EDNS0 Option Code 4 and 5 as > > > registered > > > > They cannot, until a RFC is published (that's what RFC 2671 says, in > > its "IANA considerations" section). > > note that the iana considerations section of rfc 2671 came to the ID author > from the WG chairs as "the common wisdom of that moment". it was not > intended to be prescriptive in the sense that doing it some other way would > cause the protocol itself to malfunction. if there's a reason to do it > some other way then we should make a change. > > > It's true that attempts to discourage registration of EDNS code points > > are a problem and a risk for the quality of the registry (if people start > > to pick EDNS option codes at random and just use it), but, as I said, it > > is not IANA's fault. My suggestion would be to publish EDNS-ping as > > Experimental or Informational and then IANA could not refuse an official > > option code. > > that seems to be an easy way forward. (SRV is still "experimental", FWIW.) Actually it is Standards Track as of RFC 2782. When it was initially proposed it was experimental (RFC 2052). Network Working Group A. Gulbrandsen Request for Comments: 2782 Troll Technologies Obsoletes: 2052 P. Vixie Category: Standards Track Internet Software Consortium L. Esibov Microsoft Corp. February 2000 A DNS RR for specifying the location of services (DNS SRV) > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 20:39:56 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD27A3A6ADD; Tue, 19 May 2009 20:39:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lc85Kw5VeGir; Tue, 19 May 2009 20:39:56 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E97E53A68D6; Tue, 19 May 2009 20:39:55 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6cYa-000OfH-SD for namedroppers-data0@psg.com; Wed, 20 May 2009 03:33:28 +0000 Received: from [66.6.203.2] (helo=hermes.walkereng.com) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6cYO-000Oeh-KA for namedroppers@ops.ietf.org; Wed, 20 May 2009 03:33:22 +0000 Received: (qmail 8273 invoked by uid 1000); 20 May 2009 03:33:13 -0000 Date: Tue, 19 May 2009 22:33:13 -0500 From: Emilio Perea To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <20090520033313.GA12718@hermes.walkereng.com> Mail-Followup-To: namedroppers@ops.ietf.org References: <98708266-EF69-4ABA-BF04-ABC167A80E36@virtualized.org> <200905200135.n4K1Z13j052694@drugs.dv.isc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200905200135.n4K1Z13j052694@drugs.dv.isc.org> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, May 20, 2009 at 11:35:01AM +1000, Mark Andrews wrote: > > Qmail is broken with or without DNSSEC records based on > this thread. ANY queries are a bad idea and should be > stomped on with extreme prejudice. ANY can cause the the > 64K TCP message size limit to be exceeded when individual > queries for the desired records will succeed. ANY queries > make the querying application more complex than it otherwise > needs to be as it still needs to fallback to individual > queries when the desired records are not in the ANY response. FWIW, this was DJB's note on the ANY query change: 19961003 portability problem: all pre-4.9.4 versions of bind barf, badly, on CNAME queries to lame servers. what a crappy system. even if the resolver doesn't barf, the next name server down the line may barf. impact: qmail can't get mail through to domains that are (1) lame and (2) running old versions of bind. fix: never, ever, do a CNAME query. dns_cname() now does an ANY query instead. this, like sendmail's analogous procedure, is unreliable when a CNAME is mixed with other records. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 21:09:09 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37B273A6B55; Tue, 19 May 2009 21:09:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.437 X-Spam-Level: X-Spam-Status: No, score=-4.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2X270JLUXHMy; Tue, 19 May 2009 21:09:08 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5B7833A691A; Tue, 19 May 2009 21:09:08 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6d4G-00014z-AQ for namedroppers-data0@psg.com; Wed, 20 May 2009 04:06:12 +0000 Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6d43-00013a-Uv for namedroppers@ops.ietf.org; Wed, 20 May 2009 04:06:06 +0000 Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 902575B419C; Tue, 19 May 2009 21:05:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at virtualized.org Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1cMO3FGP4Sq; Tue, 19 May 2009 21:05:50 -0700 (PDT) Received: from [192.168.1.109] (pool-71-105-76-217.lsanca.dsl-w.verizon.net [71.105.76.217]) by virtualized.org (Postfix) with ESMTP id 22F465B418E; Tue, 19 May 2009 21:05:50 -0700 (PDT) Cc: namedroppers@ops.ietf.org Message-Id: <86D0013C-5D65-47E5-A30A-CE9336B47C5B@virtualized.org> From: David Conrad To: Emilio Perea In-Reply-To: <20090520033313.GA12718@hermes.walkereng.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Date: Tue, 19 May 2009 21:05:48 -0700 References: <98708266-EF69-4ABA-BF04-ABC167A80E36@virtualized.org> <200905200135.n4K1Z13j052694@drugs.dv.isc.org> <20090520033313.GA12718@hermes.walkereng.com> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 19, 2009, at 8:33 PM, Emilio Perea wrote: > On Wed, May 20, 2009 at 11:35:01AM +1000, Mark Andrews wrote: >> >> Qmail is broken with or without DNSSEC records based on >> this thread. > FWIW, this was DJB's note on the ANY query change: > 19961003 portability problem: all pre-4.9.4 versions of bind barf, ... 1996? BIND pre-4.9.4? Seriously? Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 21:47:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7F363A6B09; Tue, 19 May 2009 21:47:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.531 X-Spam-Level: X-Spam-Status: No, score=-2.531 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOVE+DrXiTxB; Tue, 19 May 2009 21:47:35 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 75CFF3A683B; Tue, 19 May 2009 21:47:35 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6det-0003Zb-Iz for namedroppers-data0@psg.com; Wed, 20 May 2009 04:44:03 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6deg-0003YB-EO for namedroppers@ops.ietf.org; Wed, 20 May 2009 04:43:57 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 17404E602F; Wed, 20 May 2009 04:43:48 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4K4hkai047180; Wed, 20 May 2009 14:43:46 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905200443.n4K4hkai047180@drugs.dv.isc.org> To: David Conrad Cc: Emilio Perea , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Tue, 19 May 2009 21:05:48 MST." <86D0013C-5D65-47E5-A30A-CE9336B47C5B@virtualized.org> Date: Wed, 20 May 2009 14:43:46 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <86D0013C-5D65-47E5-A30A-CE9336B47C5B@virtualized.org>, David Conrad writes: > On May 19, 2009, at 8:33 PM, Emilio Perea wrote: > > On Wed, May 20, 2009 at 11:35:01AM +1000, Mark Andrews wrote: > >> > >> Qmail is broken with or without DNSSEC records based on > >> this thread. > > FWIW, this was DJB's note on the ANY query change: > > 19961003 portability problem: all pre-4.9.4 versions of bind barf, > ... > > 1996? BIND pre-4.9.4? > > Seriously? That was back when named loaded what it could and served that. If queries came in for a type the wasn't loaded and there was a error loading it returned SERVFAIL. MTA's idiotically made CNAME queries which were almost certain to fail with such zones as 99+% of email addresses are canonical w.r.t. the domain. A plain MX/A query would have returned the CNAME as a side effect though the lack of a MX or A would still result in a SERVFAIL. MTA's used ANY queries to work around this. We we told about this issue years after sendmail did this change and fixed named to reject the zone completely rather than depend on the operator to look at the log for errors. The best response would have been to tell us immediately so we could fix the bug and to tell sites running the old version of named to upgrade. Work arounds have a habit of coming back to bite you which we can see at the moment with the handling of timouts on EDNS vs DNSSEC. Mark > Regards, > -drc -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Tue May 19 23:48:03 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 795B83A6EE4; Tue, 19 May 2009 23:48:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.481 X-Spam-Level: X-Spam-Status: No, score=-1.481 tagged_above=-999 required=5 tests=[AWL=-1.044, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8wSmwdyPdAeP; Tue, 19 May 2009 23:48:02 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 428513A6A65; Tue, 19 May 2009 23:48:02 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6fXo-000CUH-3p for namedroppers-data0@psg.com; Wed, 20 May 2009 06:44:52 +0000 Received: from [208.69.177.116] (helo=ns1.qubic.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6fXJ-000CRH-W5 for namedroppers@ops.ietf.org; Wed, 20 May 2009 06:44:36 +0000 Received: from subman.resistor.net ([10.0.0.1]) (authenticated bits=0) by ns1.qubic.net (8.14.4.Alpha0/8.14.4.Alpha0) with ESMTP id n4K6i6XZ021897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 May 2009 23:44:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1242801856; x=1242888256; bh=TcWoyYor/EtNIvV3G0T46N6W3/l/J4pHoSZD0cd/zLs=; h=Message-Id:Date:To:From:Subject:Cc:In-Reply-To:References: Mime-Version:Content-Type; b=xP0nt95DlSTK6GX4Ysc9TR+QNK9+vscossBZLLJVJvC0d7gTm4CDIRd+2yfOGGihr Fg4LGYYSJj/npXCp7x7Uu63WQ1n5X4sW6ZC3++B0/dIX9y7DlYmNSKs2wM68qLkeJR y8xqWcEsggq+2uOYf5NK6RHIzbaAzKYIJB3bjjTM= DomainKey-Signature: a=rsa-sha1; s=mail; d=resistor.net; c=simple; q=dns; b=RC3JHxCmJ4LbKQGSCCT7g+jz5kqVL3/vcLLU4r6rqXBIXpVZpDudHvClRSxXl/+wP bb6Fgb46ylSDVzve66CjigGT9UUxiPccSO6kPqiJmZrJEheyCOIxGaVuxwtHm50Bxhe JldWXeJql9KHGpKQbQwJOfaljF9pkZALYRDrct0= Message-Id: <6.2.5.6.2.20090519232428.02ff9568@resistor.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Tue, 19 May 2009 23:42:39 -0700 To: George Barwood , Matthew Dempsky From: SM Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Cc: namedroppers@ops.ietf.org In-Reply-To: <50585B47089D4A1F89287F17C398F469@localhost> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <50585B47089D4A1F89287F17C398F469@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 16:56 19-05-2009, George Barwood wrote: > > Do you know of any instances of breakage? > >I didn't, but after some searching this link seems to suggest qmail does break > >http://www.ripe.net/ripe/maillists/archives/dns-wg/2006/msg00013.html > >I think the semantics is cleaner if DO bit stops unrequested DNSSEC >records being sent. There are other cases unrelated to DNSSEC. If the response is greater than 512 bytes, it breaks unpatched versions of Qmail as Qmail does not fall back to using TCP. At 17:29 19-05-2009, Matthew Dempsky wrote: >Ah, my test case was somewhat faulty: res_query will repeat its query >over TCP, but qmail will still internally truncate the response to 512 >bytes, causing a failure if the answers section exceeds this size. There is patch for Qmail to get around the 512 byte problem. Regards, -sm -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 00:00:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 318B23A68EA; Wed, 20 May 2009 00:00:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.536 X-Spam-Level: X-Spam-Status: No, score=-2.536 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aj6jlUC5Ey7Z; Wed, 20 May 2009 00:00:04 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 76C133A68D6; Wed, 20 May 2009 00:00:04 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6fjD-000DWn-18 for namedroppers-data0@psg.com; Wed, 20 May 2009 06:56:39 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6fiy-000DUb-8X for namedroppers@ops.ietf.org; Wed, 20 May 2009 06:56:31 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 35BDCE601C; Wed, 20 May 2009 06:56:23 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4K6uLsH049187; Wed, 20 May 2009 16:56:21 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905200656.n4K6uLsH049187@drugs.dv.isc.org> To: "George Barwood" Cc: "David Conrad" , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Wed, 20 May 2009 06:51:19 +0100." Date: Wed, 20 May 2009 16:56:21 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Having 32 A records would break qmail based on the description. Do we tell the world that you can't have 32 A addresses? Having 18 AAAA records would break qmail based on the description. Do we tell the world that you can't have 18 AAAA addresses? Do we tell the world that you can't have more records than can fit in 512 bytes? There are lots of mail domains where a ANY query may cause the 512 byte limit to be broken without any DNSSEC records being returned. Applications which DNS queries should expect that TCP fallback may occur and that they need to supply buffers bigger than 512 bytes when making DNS queries to account for that. DO was designed so that queries where unknown records are not expected (i.e. explict queries) didn't see the DNSSEC records. Applications which make ANY queries *expect* to see unknown record types in the answer section so there is no issue with sending them in the answer section. Note: you do not see DNSSEC records in the authority and additional sections when you make a ANY query without DO being set. If the same query is made with DO set then you do see them in the authority and additional sections. Mark ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.3.6-P1 <<>> any isc.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 3099 IN RRSIG AAAA 5 2 43200 20090615233251 20090516233251 50082 isc.org. eU0U/TN7mYAb4aODz3yxEzoDCj7j2L/5VZeblI2VcBZRC1zAAsx0K+wU lUndou6O6UZyZ2QM6zazy8mEcKs+zCPmssbMIvDyHJ4j4e7lPaU4wKRo DyvjNled7N7Nly/SVKgDoj6fG/IM/BPjWa7l2oL3fRPWq2E+ShY54U9g GAs= isc.org. 3099 IN AAAA 2001:4f8:0:2::d isc.org. 39099 IN RRSIG NS 5 2 43200 20090615233251 20090516233251 50082 isc.org. qG+qwfSP5jSrt+HbdoTTNIWkxyqKxy/sztz+CHvpBlywQY8G3cPO+icP TEmJFK5P8xTExsALqgWinufeUK/Mm1r/n3dWWzNN/eVwJcATDqz0yZGn 1vuqxGtdWRc/C6NVvCeeF+cxz/OKtT0GiQYRv/qJ5qUUMbbR6z9CGv0I p2g= isc.org. 39099 IN NS ams.sns-pb.isc.org. isc.org. 39099 IN NS sfba.sns-pb.isc.org. isc.org. 39099 IN NS ns-ext.nrt1.isc.org. isc.org. 39099 IN NS ord.sns-pb.isc.org. isc.org. 3099 IN RRSIG DNSKEY 5 2 7200 20090613223111 20090514223111 12892 isc.org. f3gWhhuNs/hlYBJytXvSOmdMYbrw3syVAJ0yYqvToq09/pg53AWEnmdt l24NudXLWLiA57/CCrONRDrUCtX+K2dxkuSYF02Yua2zeELiIIQYEt8c 319hEbvbnqg1u1CJUOB/BCETkolstyQ1MOqBecvA+/UlXo3ZDRX064Hz Ha5RBDaFGUGsdWRZlmPQqizD6Gcug/NpkJBelz0hIuS2uWimwbgDtYhT gw2uDvMLBtsYzxUJot/GgNUwv4Ofa4kES3dvO8U9mahrjMNEFUK8khl+ WdBixijEbHs7jv0lTqrBS4xZQXVI85/07Us13iRw9J+ecFGQ5O8C/9dP TLCodA== isc.org. 3099 IN RRSIG DNSKEY 5 2 7200 20090613223111 20090514223111 50082 isc.org. mCNeA0XseqHNaylvy6c7+6l61gAKZLLWBPWxPJb0aM2ffoIdKrmtwYej EjUOVVNvxU9A06IwG20I/khJzjmiu57nMsk/WfgJSOnOnTxqGOflu0ks y5YUhKPrTLdKUoeHJOLv2FE/dPS1U9Wy7b3VBbfx+4TtVGFqscwocXtu x1Q= isc.org. 3099 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 3099 IN DNSKEY 256 3 5 BEAAAAO1rOHZvkQ3rodVl3tbky5pkfCrBuctoc6k7LbppZwvTMRP78+7 q/WTKrJtgsmRFY6YS7C4+8DTQfKG4TXLFUZybyKyW/1EFnqkVPat/E7t R7Yh0Y8r1bXu9T2/zgJqiC4rPZC7LdrKfS+82xbFNaFp7wgV6nOm7zIU 7wcxzLV9Zw== ;; AUTHORITY SECTION: isc.org. 39099 IN NS ord.sns-pb.isc.org. isc.org. 39099 IN NS ns-ext.nrt1.isc.org. isc.org. 39099 IN NS sfba.sns-pb.isc.org. isc.org. 39099 IN NS ams.sns-pb.isc.org. ;; ADDITIONAL SECTION: ams.sns-pb.isc.org. 39099 IN A 199.6.1.30 ord.sns-pb.isc.org. 39099 IN A 199.6.0.30 sfba.sns-pb.isc.org. 39099 IN A 149.20.64.3 sfba.sns-pb.isc.org. 39095 IN AAAA 2001:4f8:0:2::19 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 20 16:42:34 2009 ;; MSG SIZE rcvd: 1495 ; <<>> DiG 9.3.6-P1 <<>> any isc.org +dnssec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9452 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 11, AUTHORITY: 5, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN ANY ;; ANSWER SECTION: isc.org. 2911 IN RRSIG AAAA 5 2 43200 20090615233251 20090516233251 50082 isc.org. eU0U/TN7mYAb4aODz3yxEzoDCj7j2L/5VZeblI2VcBZRC1zAAsx0K+wU lUndou6O6UZyZ2QM6zazy8mEcKs+zCPmssbMIvDyHJ4j4e7lPaU4wKRo DyvjNled7N7Nly/SVKgDoj6fG/IM/BPjWa7l2oL3fRPWq2E+ShY54U9g GAs= isc.org. 2911 IN AAAA 2001:4f8:0:2::d isc.org. 38911 IN RRSIG NS 5 2 43200 20090615233251 20090516233251 50082 isc.org. qG+qwfSP5jSrt+HbdoTTNIWkxyqKxy/sztz+CHvpBlywQY8G3cPO+icP TEmJFK5P8xTExsALqgWinufeUK/Mm1r/n3dWWzNN/eVwJcATDqz0yZGn 1vuqxGtdWRc/C6NVvCeeF+cxz/OKtT0GiQYRv/qJ5qUUMbbR6z9CGv0I p2g= isc.org. 38911 IN NS sfba.sns-pb.isc.org. isc.org. 38911 IN NS ns-ext.nrt1.isc.org. isc.org. 38911 IN NS ord.sns-pb.isc.org. isc.org. 38911 IN NS ams.sns-pb.isc.org. isc.org. 2911 IN RRSIG DNSKEY 5 2 7200 20090613223111 20090514223111 12892 isc.org. f3gWhhuNs/hlYBJytXvSOmdMYbrw3syVAJ0yYqvToq09/pg53AWEnmdt l24NudXLWLiA57/CCrONRDrUCtX+K2dxkuSYF02Yua2zeELiIIQYEt8c 319hEbvbnqg1u1CJUOB/BCETkolstyQ1MOqBecvA+/UlXo3ZDRX064Hz Ha5RBDaFGUGsdWRZlmPQqizD6Gcug/NpkJBelz0hIuS2uWimwbgDtYhT gw2uDvMLBtsYzxUJot/GgNUwv4Ofa4kES3dvO8U9mahrjMNEFUK8khl+ WdBixijEbHs7jv0lTqrBS4xZQXVI85/07Us13iRw9J+ecFGQ5O8C/9dP TLCodA== isc.org. 2911 IN RRSIG DNSKEY 5 2 7200 20090613223111 20090514223111 50082 isc.org. mCNeA0XseqHNaylvy6c7+6l61gAKZLLWBPWxPJb0aM2ffoIdKrmtwYej EjUOVVNvxU9A06IwG20I/khJzjmiu57nMsk/WfgJSOnOnTxqGOflu0ks y5YUhKPrTLdKUoeHJOLv2FE/dPS1U9Wy7b3VBbfx+4TtVGFqscwocXtu x1Q= isc.org. 2911 IN DNSKEY 256 3 5 BEAAAAO1rOHZvkQ3rodVl3tbky5pkfCrBuctoc6k7LbppZwvTMRP78+7 q/WTKrJtgsmRFY6YS7C4+8DTQfKG4TXLFUZybyKyW/1EFnqkVPat/E7t R7Yh0Y8r1bXu9T2/zgJqiC4rPZC7LdrKfS+82xbFNaFp7wgV6nOm7zIU 7wcxzLV9Zw== isc.org. 2911 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd ;; AUTHORITY SECTION: isc.org. 38911 IN NS sfba.sns-pb.isc.org. isc.org. 38911 IN NS ams.sns-pb.isc.org. isc.org. 38911 IN NS ord.sns-pb.isc.org. isc.org. 38911 IN NS ns-ext.nrt1.isc.org. isc.org. 38911 IN RRSIG NS 5 2 43200 20090615233251 20090516233251 50082 isc.org. qG+qwfSP5jSrt+HbdoTTNIWkxyqKxy/sztz+CHvpBlywQY8G3cPO+icP TEmJFK5P8xTExsALqgWinufeUK/Mm1r/n3dWWzNN/eVwJcATDqz0yZGn 1vuqxGtdWRc/C6NVvCeeF+cxz/OKtT0GiQYRv/qJ5qUUMbbR6z9CGv0I p2g= ;; ADDITIONAL SECTION: ams.sns-pb.isc.org. 38911 IN A 199.6.1.30 ord.sns-pb.isc.org. 38911 IN A 199.6.0.30 sfba.sns-pb.isc.org. 38911 IN A 149.20.64.3 sfba.sns-pb.isc.org. 38907 IN AAAA 2001:4f8:0:2::19 ams.sns-pb.isc.org. 38911 IN RRSIG A 5 4 43200 20090615233251 20090516233251 50082 isc.org. IXd3ElWsnuwhxwuapFvpafIB+64FZA8PTufI82yPMco+D16vMnsq1SbQ sWlgYJRrZ54QLhmHt8NM0PN8yzz9h/4Z/j0pEuSN3H26eADFWma2f8k9 wMvEL99x6od2FAj5pRH4nGZ2aZuF/PS4Xxp4srSJlpogANO0FnmtwY1M aJM= ord.sns-pb.isc.org. 38911 IN RRSIG A 5 4 43200 20090615233251 20090516233251 50082 isc.org. T0HoavEjKsZe5qZ0LT7GHlTZsu9OTWkpkS00MxAyy8D6nCGvbaUsksf0 WmiePWvQonRivxfhxkcR/wje7K01mKPeF4VUCk7iZobf3JPeY0YjGSLb RN4Yg1yMy1741mFYu6BbhgpigysacVlveUSIfVVtExF+RfRlQwVLzoeg +F4= ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 20 16:45:42 2009 ;; MSG SIZE rcvd: 2007 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 00:11:50 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75BA828C18F; Wed, 20 May 2009 00:11:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.984 X-Spam-Level: X-Spam-Status: No, score=-105.984 tagged_above=-999 required=5 tests=[AWL=0.265, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88Ck1UC0IKJI; Wed, 20 May 2009 00:11:49 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8F4E028C170; Wed, 20 May 2009 00:11:49 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6fv0-000Ebv-0n for namedroppers-data0@psg.com; Wed, 20 May 2009 07:08:50 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ful-000EZF-R9 for namedroppers@ops.ietf.org; Wed, 20 May 2009 07:08:42 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id A20E21C0094; Wed, 20 May 2009 09:08:34 +0200 (CEST) Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id 9D3DD1C007E; Wed, 20 May 2009 09:08:34 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id 90F757B003B; Wed, 20 May 2009 09:08:34 +0200 (CEST) Date: Wed, 20 May 2009 09:08:34 +0200 From: Stephane Bortzmeyer To: David Conrad Cc: namedroppers@ops.ietf.org Subject: [dnsext] Re: Question on RFC 3225 - DO Bit and ANY Message-ID: <20090520070834.GA1558@nic.fr> References: <98708266-EF69-4ABA-BF04-ABC167A80E36@virtualized.org> <200905200135.n4K1Z13j052694@drugs.dv.isc.org> <20090520033313.GA12718@hermes.walkereng.com> <86D0013C-5D65-47E5-A30A-CE9336B47C5B@virtualized.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86D0013C-5D65-47E5-A30A-CE9336B47C5B@virtualized.org> X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 09:05:48PM -0700, David Conrad wrote a message of 22 lines which said: > 1996? BIND pre-4.9.4? > > Seriously? Yes. Welcome to the wonderful world of djbware. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 01:07:00 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA4D63A6818; Wed, 20 May 2009 01:07:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.177 X-Spam-Level: X-Spam-Status: No, score=0.177 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b2tSdI3dTtgv; Wed, 20 May 2009 01:06:54 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1D42E3A694E; Wed, 20 May 2009 01:06:54 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6gj1-000J5y-LJ for namedroppers-data0@psg.com; Wed, 20 May 2009 08:00:31 +0000 Received: from [74.125.46.30] (helo=yw-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6gil-000J4m-UN for namedroppers@ops.ietf.org; Wed, 20 May 2009 08:00:25 +0000 Received: by yw-out-2324.google.com with SMTP id 3so182537ywj.71 for ; Wed, 20 May 2009 01:00:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.100.11 with SMTP id x11mr840352agb.72.1242806414500; Wed, 20 May 2009 01:00:14 -0700 (PDT) In-Reply-To: References: <20090519151633.GC27304@nic.fr> Date: Wed, 20 May 2009 01:00:14 -0700 Message-ID: Subject: [dnsext] Re: Configuration of domains, secondaries in the domain or not? (Was: DNSCurve From: Matthew Dempsky To: Stephane Bortzmeyer Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 11:52 AM, Matthew Dempsky wrote: > Here are the list of name server names that these two TLDs are > transitively dependent upon: To help visualize this, I've put together graphs showing the transitive dependencies for every TLD at http://shinobi.dempsky.org/~matthew/dnstrust/graphs/. Particularly relevant ones: http://shinobi.dempsky.org/~matthew/dnstrust/graphs/fr.pdf http://shinobi.dempsky.org/~matthew/dnstrust/graphs/de.pdf http://shinobi.dempsky.org/~matthew/dnstrust/graphs/org.pdf http://shinobi.dempsky.org/~matthew/dnstrust/graphs/se.pdf http://shinobi.dempsky.org/~matthew/dnstrust/graphs/jp.pdf http://shinobi.dempsky.org/~matthew/dnstrust/graphs/biz.pdf -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 03:28:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 028F43A6CA1; Wed, 20 May 2009 03:28:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.711 X-Spam-Level: X-Spam-Status: No, score=-4.711 tagged_above=-999 required=5 tests=[AWL=-0.216, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1ID5bfrnE8d; Wed, 20 May 2009 03:28:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1FDF23A6BFC; Wed, 20 May 2009 03:28:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6iuB-0006Kk-NG for namedroppers-data0@psg.com; Wed, 20 May 2009 10:20:11 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ity-0006Ja-LD for namedroppers@ops.ietf.org; Wed, 20 May 2009 10:20:05 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4KAIq3s013329; Wed, 20 May 2009 10:18:54 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4KAInYv013327; Wed, 20 May 2009 10:18:49 GMT Date: Wed, 20 May 2009 10:18:49 +0000 From: bmanning@vacation.karoshi.com To: David Conrad Cc: George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <20090520101849.GA13291@vacation.karoshi.com.> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Tue, May 19, 2009 at 03:19:08PM -0700, David Conrad wrote: > > There was discussion of this when 3225 was being written. If I > remember correctly (quite unlikely -- it was a long time ago), the > consensus was that an application that requested ANY really needed to > be able to handle anything that might be returned. > > Regards, > -drc that is my recollection as well. imho, tweeking the DNS to accomodate another applications short sighted behaviour is wrong. in that light, ANY should be retained (not exterminated as Mark Andrews seems to call for) and application developers who wish to use data from the DNS SHOULD adopt a "Trust but Verify" mentality. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 06:20:02 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A684A28C0E0; Wed, 20 May 2009 06:20:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.134 X-Spam-Level: X-Spam-Status: No, score=-1.134 tagged_above=-999 required=5 tests=[AWL=-0.639, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfYaVf+TTFeD; Wed, 20 May 2009 06:20:01 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EBC8A3A6D7B; Wed, 20 May 2009 06:20:00 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ldy-000LmQ-09 for namedroppers-data0@psg.com; Wed, 20 May 2009 13:15:38 +0000 Received: from [206.190.37.120] (helo=smtp110.rog.mail.re2.yahoo.com) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6ldg-000Ll4-JZ for namedroppers@ops.ietf.org; Wed, 20 May 2009 13:15:31 +0000 Received: (qmail 57983 invoked from network); 20 May 2009 13:15:19 -0000 Received: from unknown (HELO connotech.com) (thierry.moreau@209.148.165.15 with plain) by smtp110.rog.mail.re2.yahoo.com with SMTP; 20 May 2009 13:15:19 -0000 X-YMail-OSG: glCJIKUVM1kBF7XaVcAM6K13PnydTxcXnnOwadI79QkBDZTBLCtKuiEb77p5LCFXnw-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4A1401C7.1080309@connotech.com> Date: Wed, 20 May 2009 08:12:39 -0500 From: Thierry Moreau User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paul Hoffman CC: bert hubert , namedroppers@ops.ietf.org Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Paul Hoffman wrote: > Hopefully, you are still following the discussion. > > At 12:02 AM +0200 5/16/09, bert hubert wrote: > >>I have also been pointedly informed [3] that EDNS-PING, which requires an >>EDNS option code, can't succeed as an individual draft either since only the >>DNSEXT WG can authorize the issue of such an EDNS option code from IANA. > > > As it turns out, that statement is correct but insufficient. As has been pointed out, all that is needed for an EDNS option code is an RFC. > > You can submit an RFC as an *independent submission* directly to the RFC Editor. Such submissions do not come to the WG unless the Area Directors consider the document an "end run" against WG work. Clearly, the WG is not doing work on EDNS pings, so I d > oubt that would be the case here. > That's the theory. In practice, the independent-submission-through-the-RFC-editor route has a couple of pitfalls. (Without these impediments, I guess there would be much more RFCs originating from protocol developers who feel like Bert indicated.) First, the RFC editor is a document editor, so it enforces *some* editorial rules, based on volunteer reviewers. This is not a time-limited activity since these volunteers are usually heavily involved in regular IETF activities. Second, the interface between the RFC editor function (as an independent editor) and the IETF activities is perhaps not as clean cut as indicated above (whether the proposal is "an 'end run' against WG work"). The evil is in the details. And beyond this, the activity reports from the RFC editor function (I'm not even referring to accountability) are such that it is impossible to identify corner cases (i.e. we miss the the age distribution of submissions in the queue according to the stage in the submission progress diagram). So much for transparency. So, in short, there is the theoretical publication route that Bert is invited to investigate. In practice, it looks like little more than a means of taking the guilt out of DNSEXT WG participants for Bert desertion. Although I am a supporter of DNSSEC deployment, the Bert's perpective on DNS security (including his DNSSEC skepticism) has consistently been at once useful, well supported, and expressed in an elegant language. Thanks to Mr. Hubert. Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: thierry.moreau@connotech.com -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 08:03:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BCBC3A67EF; Wed, 20 May 2009 08:03:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.765 X-Spam-Level: X-Spam-Status: No, score=-0.765 tagged_above=-999 required=5 tests=[AWL=-0.011, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AT=0.424, RCVD_IN_DNSWL_LOW=-1, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5iZAu1nQmer; Wed, 20 May 2009 08:03:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3810D3A6FCB; Wed, 20 May 2009 08:02:55 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nFi-0006as-Jp for namedroppers-data0@psg.com; Wed, 20 May 2009 14:58:42 +0000 Received: from [88.198.34.164] (helo=mail.bofh.priv.at) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nFM-0006Z1-KC for namedroppers@ops.ietf.org; Wed, 20 May 2009 14:58:28 +0000 Received: from [10.10.0.243] (nat.labs.nic.at [83.136.33.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bofh.priv.at (Postfix) with ESMTP id 24D4E554013; Wed, 20 May 2009 16:58:18 +0200 (CEST) Message-ID: <4A141A88.1060700@nic.at> Date: Wed, 20 May 2009 16:58:16 +0200 From: Otmar Lendl User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Andrew Sullivan CC: namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <20090508181422.GH2372@shinkuro.com> In-Reply-To: <20090508181422.GH2372@shinkuro.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: A bit late, but whatever, here is my input: Andrew Sullivan wrote: > > 1. Do nothing, and take all energy that might be devoted to this > effort and direct it towards DNSSEC deployment. no. > 2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and > include in it recommendations to do nothing else except what that > document contains. Remove from section 3 any strategies we do not > want to adopt. (Note that this latter condition entails decisions > about the next two options.) Wouter's draft is a good summary, especially the re-query for RRSETs learned from the Auth section. Definitely adopt it. > 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps > this gets included in that document, or perhaps it proceeds as part of > a set of documents. Let's leave the editorial process issues out of > the discussion, and just focus on whether we want to include this > strategy in the tool box. Just try to get the server side written down somewhere. That doesn't add any cost, and leaves the option to do the client part open. > 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this > might be included as part of (2) or processed individually, but that > doesn't matter. The draft as it stands is far from perfect, but the generic idea that we should try to somehow extend the query-ID is a very worthwhile one. IMHO there are a few different aspects to this: * The server-side is rather trivial, the only question is whether to go for a stateless or a stateful design on the server. * Use a new pseudo-RR or go for an EDNS0 option. What I'm really missing is a clear cut description on the client side algorithm and fall-back strategies. These huge email threads here have included both interesting schemes and assertions that this is impossible to get right. That's not good basis for a decisions, I'd really like to have a concrete proposal on the algorithm so that any attacks against it can be properly documented and examined. As with 0x20, I'm not sure whether we shouldn't split it up in a short and relatively painless (and not just informational) spec on what that extended qID looks on the wire and what the server-side is supposed to do, and an informational/experimental draft on how this can be leveraged to increase the security by the client. /ol -- // Otmar Lendl , T: +43 1 5056416 - 33, F: - 933 // -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 08:03:04 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1761A3A67EF; Wed, 20 May 2009 08:03:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.415 X-Spam-Level: X-Spam-Status: No, score=-2.415 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-JqSFO4ILAp; Wed, 20 May 2009 08:03:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7EF233A6FA0; Wed, 20 May 2009 08:02:52 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nFW-0006a0-5G for namedroppers-data0@psg.com; Wed, 20 May 2009 14:58:30 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nFH-0006Yn-HS for namedroppers@ops.ietf.org; Wed, 20 May 2009 14:58:22 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4KEvk7q017003 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 May 2009 07:57:49 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <4A1401C7.1080309@connotech.com> References: <3efd34cc0905151502u2df6284eid71f8da14fb77ce1@mail.gmail.com> <4A1401C7.1080309@connotech.com> Date: Wed, 20 May 2009 07:57:45 -0700 To: Thierry Moreau From: Paul Hoffman Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order Cc: bert hubert , namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 8:12 AM -0500 5/20/09, Thierry Moreau wrote: >Paul Hoffman wrote: > >>Hopefully, you are still following the discussion. >> >>At 12:02 AM +0200 5/16/09, bert hubert wrote: >> >>>I have also been pointedly informed [3] that EDNS-PING, which requires an >>>EDNS option code, can't succeed as an individual draft either since only the >>>DNSEXT WG can authorize the issue of such an EDNS option code from IANA. >> >> >>As it turns out, that statement is correct but insufficient. As has been pointed out, all that is needed for an EDNS option code is an RFC. >> >>You can submit an RFC as an *independent submission* directly to the RFC Editor. Such submissions do not come to the WG unless the Area Directors consider the document an "end run" against WG work. Clearly, the WG is not doing work on EDNS pings, so I d >>oubt that would be the case here. >> > >That's the theory. ...that happens nearly all the time. Please don't expect perfection here (or anywhere else...). >In practice, the independent-submission-through-the-RFC-editor route has a couple of pitfalls. (Without these impediments, I guess there would be much more RFCs originating from protocol developers who feel like Bert indicated.) We disagree here. Many protocol developers don't know about the independent submission stream. That should change within the next year. >First, the RFC editor is a document editor, so it enforces *some* editorial rules, based on volunteer reviewers. This is not a time-limited activity since these volunteers are usually heavily involved in regular IETF activities. For documents with no questions, the review process usually goes quickly, faster than the normal IETF process. For documents with questions, of course, it can slow down. >Second, the interface between the RFC editor function (as an independent editor) and the IETF activities is perhaps not as clean cut as indicated above (whether the proposal is "an 'end run' against WG work"). The evil is in the details. This feels like FUD. I have looked at the process, and it almost always works. Do you have examples in the DNS space where it has failed? >And beyond this, the activity reports from the RFC editor function (I'm not even referring to accountability) are such that it is impossible to identify corner cases (i.e. we miss the the age distribution of submissions in the queue according to the stage in the submission progress diagram). So much for transparency. True for now. It will change at the end of this year. >So, in short, there is the theoretical publication route that Bert is invited to investigate. No, there is an *actual* publication route that Bert and others are invited to investigate. >In practice, it looks like little more than a means of taking the guilt out of DNSEXT WG participants for Bert desertion. Poppycock. You are attributing motives to me that are absurd in the extreme. >Although I am a supporter of DNSSEC deployment, the Bert's perpective on DNS security (including his DNSSEC skepticism) has consistently been at once useful, well supported, and expressed in an elegant language. Thanks to Mr. Hubert. My message was unrelated to either DNSSEC or his perspective on DNS security. The independent submission route is just as useful for good ideas as it is for bad ones. Its purpose is quite different than the purpose of the WG process. --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 08:12:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D25F3A69B5; Wed, 20 May 2009 08:12:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.393 X-Spam-Level: X-Spam-Status: No, score=-2.393 tagged_above=-999 required=5 tests=[AWL=0.206, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LsZvyaTNcr8M; Wed, 20 May 2009 08:12:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 399FF3A67A5; Wed, 20 May 2009 08:12:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nQK-0007mi-R4 for namedroppers-data0@psg.com; Wed, 20 May 2009 15:09:40 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nQ7-0007l9-PH for namedroppers@ops.ietf.org; Wed, 20 May 2009 15:09:34 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 5A4ECA2A65; Wed, 20 May 2009 15:09:27 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: bmanning@vacation.karoshi.com cc: David Conrad , George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Wed, 20 May 2009 10:18:49 GMT." <20090520101849.GA13291@vacation.karoshi.com.> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Wed, 20 May 2009 15:09:27 +0000 Message-ID: <31495.1242832167@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Wed, 20 May 2009 10:18:49 +0000 > From: bmanning@vacation.karoshi.com > ... > imho, tweeking the DNS to accomodate another applications > short sighted behaviour is wrong. in that light, ANY should > be retained (not exterminated as Mark Andrews seems to call for) > and application developers who wish to use data from the DNS > SHOULD adopt a "Trust but Verify" mentality. queries for ANY, for NS and SOA, and for CNAME, are all diagnostic-only. if an application is making such a query, that application is confused. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 08:22:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D4853A6CBC; Wed, 20 May 2009 08:22:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.577 X-Spam-Level: X-Spam-Status: No, score=-0.577 tagged_above=-999 required=5 tests=[AWL=-1.252, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVmTY+jnDWL2; Wed, 20 May 2009 08:22:48 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E03A33A6BF1; Wed, 20 May 2009 08:22:47 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nZu-0008gg-Qo for namedroppers-data0@psg.com; Wed, 20 May 2009 15:19:34 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nZd-0008fB-7r for namedroppers@ops.ietf.org; Wed, 20 May 2009 15:19:28 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4KFJDhW055673 for ; Wed, 20 May 2009 11:19:14 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905201519.n4KFJDhW055673@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 20 May 2009 11:17:30 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: <20090508181422.GH2372@shinkuro.com> References: <20090508181422.GH2372@shinkuro.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: With less than one day left before the chairs need to make a determination. The purpose of this message is to point out that the discussion has possibly been derailed by heated arguments about the merits of a subset of the options, at the detriment of other options. At this point we have enough support to say EDNS0 Ping is acceptable for further study, even though there is a large number detractors. (option #4) It is close call for option #3 x20 There is no public support for option #2, and no one has argued for option #1. If you are in favor of options #1, #2 or #5 now is the time to speak up. As an experiment I have set up a poll for the different options, http://www.doodle.com/7yvife73qvwtnr5m Feel free to post to namedroppers or participate in the pool. When you participate in the poll use a name that I can correlate to a namedroppers subscription i.e. no AB or BA names. thanks Olafur Olafur At 14:14 08/05/2009, Andrew Sullivan wrote: >Dear colleagues, > >Your Chairs have been observing the discussion around adoption of >various drafts for techniques to mitigate forgeries and cache >poisoning. It appears to us that the WG is not converging on >consensus. > >We currently have a request open to adopt EDNS0 ping. The discussion >of adopting the document appeared to expose a fault in the community, >where some expressed strong opposition to undertaking any further forgery >resilience work when DNSSEC is already available, while others argued >that DNSSEC is not getting deployed and therefore we need other urgent >action. > >Meanwhile, some other mechanisms, including "0x20" and those outlined >in draft-wijngaards-dnsext-resolver-side-mitigation-01.txt seem to be >showing up in various implementations. > >We think it would be better if we came to some more or less shared >agreement on what to do in this space (including nothing). The >portion of the meeting we had in Dublin that was dedicated to this >topic seems not to have inspired consensus. Therefore, we would like >to present five options for consideration: > >1. Do nothing, and take all energy that might be devoted to this >effort and direct it towards DNSSEC deployment. > >2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and >include in it recommendations to do nothing else except what that >document contains. Remove from section 3 any strategies we do not >want to adopt. (Note that this latter condition entails decisions >about the next two options.) > >3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps >this gets included in that document, or perhaps it proceeds as part of >a set of documents. Let's leave the editorial process issues out of >the discussion, and just focus on whether we want to include this >strategy in the tool box. > >4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this >might be included as part of (2) or processed individually, but that >doesn't matter. > >5. Officially adopt nothing, but support (2) and (3) going ahead as >individual submissions on the Informational track. (2) would >obviously need to be modified slightly to keep out any protocol items >that might be entailed. The reason (4) can't just go ahead on the >individual track is that the assignment of an EDNS0 code point >requires standards action, so the work would come back here anyway. > >We will plan to request a meeting session in Stockholm to discuss this >issue (and possibly some other topics before us). If the WG can come >to a clear consensus on-list before then (and we have no other >business), then obviously we will be in a position to cancel the >Stockholm session. If we have not come to a conclusion by 20 May, we >will keep the session scheduled. > >In the absence of strong arguments in favour of action and at least an >apparently broad constituency to do the work within the WG, the Chairs >are inclined to take option (1), because the WG is supposed to be >sleeping. This is by no means to say that we are prejudiced in favour >of that option. It is rather to say that we are procedurally bound, >by our charter, to a default of "No" for at least some of these >documents. Adding a new standards-track item to the WG work requires >rechartering, please note, and given one other request we have open we >may therefore need to recharter anyway. > >Best regards, > >Olafur and Andrew > >-- >Andrew Sullivan >ajs@shinkuro.com >Shinkuro, Inc. > >-- >to unsubscribe send a message to namedroppers-request@ops.ietf.org with >the word 'unsubscribe' in a single line as the message text body. >archive: -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 08:31:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D64723A6E0A; Wed, 20 May 2009 08:31:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.997 X-Spam-Level: X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[AWL=-0.802, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDtH77VGvVTe; Wed, 20 May 2009 08:31:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 68E5328C11B; Wed, 20 May 2009 08:31:09 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6njB-0009b1-OP for namedroppers-data0@psg.com; Wed, 20 May 2009 15:29:09 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6niz-0009Y4-Mr for namedroppers@ops.ietf.org; Wed, 20 May 2009 15:29:03 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4KFSsI3055828 for ; Wed, 20 May 2009 11:28:54 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905201528.n4KFSsI3055828@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 20 May 2009 11:27:17 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: Re: [dnsext] WGLC TSIG MD5 Deprecated In-Reply-To: <200905081453.n48ErDH3055593@stora.ogud.com> References: <200905081453.n48ErDH3055593@stora.ogud.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Reminder we still need more reviews. In particular none of the people that supported adoption has submitted one. Olafur Ps: in case you forgot if you supported the document (and agreed to review) Roy Arends, Mark Andrews, Olaf Kolkman, Patrik F=E4ltstr=F6m, Joe Abley, Brian Dickson, Edward Lewis, Mike StJohns At 18:19 08/05/2009, =D3lafur Gu=F0mundsson /DNSEXT wrote: >This note starts a Working Group Last Call for this Standards Track= document >ending on midnight May 24'th UTZ 2009. > >URL for the document and its history: >http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-tsig-md5-deprecated/ > >This document is on the Standards Track, The document updates standards= track >documents and redefines an IANA registry. > >Please read the document carefully, and send=20 >your comments to the mailing list. > >The document process rules in this working group, require that at least >5 members of the working to state that they have reviewed the document >and there is consensus of support to publish it as a Standards Track RFC. > > Olafur (for the chairs) > > > >-- >to unsubscribe send a message to namedroppers-request@ops.ietf.org with >the word 'unsubscribe' in a single line as the message text body. >archive: > -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 08:36:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6C003A6C9E; Wed, 20 May 2009 08:36:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.815 X-Spam-Level: X-Spam-Status: No, score=-1.815 tagged_above=-999 required=5 tests=[AWL=-0.386, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuIjO2j1otQh; Wed, 20 May 2009 08:36:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 09D233A6407; Wed, 20 May 2009 08:36:39 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6nof-000AAC-Su for namedroppers-data0@psg.com; Wed, 20 May 2009 15:34:49 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6noR-000A7d-TY for namedroppers@ops.ietf.org; Wed, 20 May 2009 15:34:43 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 96AD0A2A6E; Wed, 20 May 2009 15:34:35 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm In-Reply-To: Your message of "Wed, 20 May 2009 11:17:30 -0400." <200905201519.n4KFJDhW055673@stora.ogud.com> References: <20090508181422.GH2372@shinkuro.com> <200905201519.n4KFJDhW055673@stora.ogud.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Wed, 20 May 2009 15:34:35 +0000 Message-ID: <32717.1242833675@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: i'm in favour of option #6 (TKEY-DH plus TSIG) and i'm willing to write it up. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 09:04:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D110628C130; Wed, 20 May 2009 09:04:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.819 X-Spam-Level: X-Spam-Status: No, score=-4.819 tagged_above=-999 required=5 tests=[AWL=-0.641, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3xYslTr1YLa; Wed, 20 May 2009 09:04:37 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 01BB428C112; Wed, 20 May 2009 09:04:37 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6oEO-000CsQ-OJ for namedroppers-data0@psg.com; Wed, 20 May 2009 16:01:24 +0000 Received: from [192.150.186.11] (helo=fruitcake.ICSI.Berkeley.EDU) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6oEC-000Crb-Op for namedroppers@ops.ietf.org; Wed, 20 May 2009 16:01:18 +0000 Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id n4KG04GD005801; Wed, 20 May 2009 09:00:37 -0700 (PDT) Cc: Nicholas Weaver , =?ISO-8859-1?Q?=D3lafur_Gu=F0mundsson_/DNSEXT_chair?= , namedroppers@ops.ietf.org Message-Id: <421425C7-F177-429D-BE99-7A6BD1640F2D@icsi.berkeley.edu> From: Nicholas Weaver To: Paul Vixie In-Reply-To: <32717.1242833675@nsa.vix.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Wed, 20 May 2009 09:00:37 -0700 References: <20090508181422.GH2372@shinkuro.com> <200905201519.n4KFJDhW055673@stora.ogud.com> <32717.1242833675@nsa.vix.com> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 20, 2009, at 8:34 AM, Paul Vixie wrote: > i'm in favour of option #6 (TKEY-DH plus TSIG) and i'm willing to > write it up. Note please that much of what is in option #2 (Wooter's draft) with regard to glue policy is orthoginal to the increasing of entropy. Additionally, there are multiple DNS resolvers which implement such more paranoid glue policies. I would appreciate that this discussion be separated from the other portions of the debate on mechanisms to increase query entropy and/or secure the communication channel which represent protocol extensions. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 10:27:46 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFCF33A6905; Wed, 20 May 2009 10:27:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.359 X-Spam-Level: X-Spam-Status: No, score=-4.359 tagged_above=-999 required=5 tests=[AWL=-1.060, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1f-FJS7Mnuzt; Wed, 20 May 2009 10:27:45 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id ACFFF3A67DD; Wed, 20 May 2009 10:27:45 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6pVs-000KRd-Ai for namedroppers-data0@psg.com; Wed, 20 May 2009 17:23:32 +0000 Received: from [131.111.8.130] (helo=ppsw-0.csi.cam.ac.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6pVY-000KOl-3O for namedroppers@ops.ietf.org; Wed, 20 May 2009 17:23:18 +0000 X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:39028) by ppsw-0.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.150]:25) with esmtpa (EXTERNAL:fanf2) id 1M6pVW-0006F1-37 (Exim 4.70) (return-path ); Wed, 20 May 2009 18:23:10 +0100 Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1M6pVW-0000WO-Ua (Exim 4.67) (return-path ); Wed, 20 May 2009 18:23:10 +0100 Date: Wed, 20 May 2009 18:23:10 +0100 From: Tony Finch X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk To: Mark Andrews cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: <200905200135.n4K1Z13j052694@drugs.dv.isc.org> Message-ID: References: <200905200135.n4K1Z13j052694@drugs.dv.isc.org> User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, 20 May 2009, Mark Andrews wrote: > > Qmail is broken with or without DNSSEC records based on this thread. qmail has been abandoned by its author. The last release was nearly 11 years ago. It doesn't even compile on modern Unix without patches. It would be a big mistake to twist the protocol to accommodate qmail's brokenness. Tony. -- f.anthony.n.finch http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 10:51:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2862628C1BE; Wed, 20 May 2009 10:51:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.019 X-Spam-Level: X-Spam-Status: No, score=-0.019 tagged_above=-999 required=5 tests=[AWL=-1.220, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbdP5Ur4qSea; Wed, 20 May 2009 10:51:29 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4CFFA28C0CF; Wed, 20 May 2009 10:51:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6pw6-000Mla-Vu for namedroppers-data0@psg.com; Wed, 20 May 2009 17:50:38 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6pvu-000Mki-Cq for namedroppers@ops.ietf.org; Wed, 20 May 2009 17:50:32 +0000 Received: from [10.31.200.157] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4KHoISJ057477; Wed, 20 May 2009 13:50:24 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: <200905201528.n4KFSsI3055828@stora.ogud.com> References: <200905081453.n48ErDH3055593@stora.ogud.com> <200905201528.n4KFSsI3055828@stora.ogud.com> Date: Wed, 20 May 2009 13:47:02 -0400 To: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson_=2FDNSEXT__chair?= From: Edward Lewis Subject: was Re: [dnsext] WGLC TSIG MD5 Deprecated Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: off-list because I didn't want to insult Francis... At 11:27 -0400 5/20/09, =D3lafur Gu=F0mundsson /DNSEXT chair wrote: >Ps: in case you forgot if you supported the document (and agreed to review) >Roy Arends, Mark Andrews, Olaf Kolkman, Patrik F=E4ltstr=F6m, Joe Abley, >Brian Dickson, Edward Lewis, Mike StJohns I reviewed it and sent in comment already. I=20 became so confused by Francis' replies I walked=20 away. I mean, I couldn't figure out which parts=20 of the message were mine and were his in the=20 replies, much less the points he was making. I don't plan to retry being involved...too confusing, too much work. -- -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 11:12:17 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7ABA13A6E19; Wed, 20 May 2009 11:12:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.85 X-Spam-Level: X-Spam-Status: No, score=-0.85 tagged_above=-999 required=5 tests=[AWL=-0.355, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hobj7PXCG1Xo; Wed, 20 May 2009 11:12:16 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A61B43A6E61; Wed, 20 May 2009 11:12:16 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6qFT-000Ply-Ut for namedroppers-data0@psg.com; Wed, 20 May 2009 18:10:39 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6qFF-000Pk1-Q5 for namedroppers@ops.ietf.org; Wed, 20 May 2009 18:10:33 +0000 Received: from [10.31.200.157] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4KIAIss057752; Wed, 20 May 2009 14:10:23 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: References: <200905081453.n48ErDH3055593@stora.ogud.com> <200905201528.n4KFSsI3055828@stora.ogud.com> Date: Wed, 20 May 2009 14:07:05 -0400 To: Edward Lewis From: Edward Lewis Subject: Re: was Re: [dnsext] WGLC TSIG MD5 Deprecated Cc: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson_=2FDNSEXT__chair?= , namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Public apologies to Francis...and thanks to the person who noted I forgot to edit the cc line. At 13:47 -0400 5/20/09, Edward Lewis wrote: >off-list because I didn't want to insult Francis... > >I reviewed it and sent in comment already. I became so confused by Francis' >replies I walked away. I mean, I couldn't figure out which parts of the >message were mine and were his in the replies, much less the points he was >making. ...it's just that. I didn't disagree, I just got too tangled up trying to follow the message...so I mentally punted it in face to too much else to do these days... >I don't plan to retry being involved...too confusing, too much work. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 11:53:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D617328C386; Wed, 20 May 2009 11:53:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.934 X-Spam-Level: X-Spam-Status: No, score=-4.934 tagged_above=-999 required=5 tests=[AWL=-0.497, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDyIprSbfsoO; Wed, 20 May 2009 11:53:11 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4E19B28C20B; Wed, 20 May 2009 11:53:11 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6qqe-0003SI-3V for namedroppers-data0@psg.com; Wed, 20 May 2009 18:49:04 +0000 Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6qqS-0003RP-83 for namedroppers@ops.ietf.org; Wed, 20 May 2009 18:48:58 +0000 Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id CE4BC5B76D7; Wed, 20 May 2009 11:48:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at virtualized.org Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oE1JKCNEUlBg; Wed, 20 May 2009 11:48:50 -0700 (PDT) Received: from wlan39-215.mdr.icann.org (wlan39-215.mdr.icann.org [192.0.39.215]) by virtualized.org (Postfix) with ESMTP id 3A76F5B76C4; Wed, 20 May 2009 11:48:50 -0700 (PDT) From: David Conrad To: George Barwood In-Reply-To: <753F12D35D914DC3985628D6B42F8259@localhost> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY X-Priority: 3 References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> Message-Id: <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Wed, 20 May 2009 11:48:49 -0700 Cc: , X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 20, 2009, at 10:46 AM, George Barwood wrote: > ANY is not by any means an explicit query for a DNSSEC RR. Your opinion would appear to differ with the working group consensus from ages ago. ANY requests anything, which would seem to include DNSSEC RRs to me. > For academics living in Ivory towers, it is fine to declare that all > copies of qmail, and any similar software, must be updated. "Academics living in Ivory towers". Right. Good luck with your efforts to get DNS software writers to modify their code. I'm sure arguments like this will convince them. Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 12:18:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 795933A6BF1; Wed, 20 May 2009 12:18:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlG2SnGkPwSU; Wed, 20 May 2009 12:18:40 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 920FC3A68A8; Wed, 20 May 2009 12:18:40 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6rHA-000633-8k for namedroppers-data0@psg.com; Wed, 20 May 2009 19:16:28 +0000 Received: from [74.125.78.26] (helo=ey-out-2122.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6rGx-00061R-LV for namedroppers@ops.ietf.org; Wed, 20 May 2009 19:16:22 +0000 Received: by ey-out-2122.google.com with SMTP id d26so176373eyd.65 for ; Wed, 20 May 2009 12:16:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=ywi43TYVfMs68Cq8LDNlX93MYwmXWdeqEwTC3Za6uKU=; b=yA0n3ZwBbiJpGmhKxokHrJrXItBwtOidsA0F1QS0vswVqeJRvJP9N3d4Xrx6z0tmzR MdVAjjo5q20iZDzQCSRQnjL34z1y6zBhZdXAjKJoBFlXKF7Iv85+zT001LWrDjwD2Cra 1NnK17n02WR/swEg64Jou2Xs7eUU54PKiV+2M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=IodP44jn/94aWQpyIY8SzcUMhjgO5Gx+tQUAm94ffehxg2AMJXX3LBcpULaPzsrXNE 7ajK02DqCHP3vaMWNlzg2n4ubjGsWqSSkx42srxDTli6oiM9Ymrw8KEOivii4BXGscSm /JwDmTP/bRiSNSJEp8Ppwcock8r3wo3sOBOqQ= MIME-Version: 1.0 Received: by 10.210.53.5 with SMTP id b5mr1640733eba.25.1242846974072; Wed, 20 May 2009 12:16:14 -0700 (PDT) In-Reply-To: <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> From: bert hubert Date: Wed, 20 May 2009 21:15:54 +0200 Message-ID: <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY To: David Conrad Cc: George Barwood , bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, May 20, 2009 at 8:48 PM, David Conrad wrote: > Your opinion would appear to differ with the working group consensus from > ages ago. =A0ANY requests anything, which would seem to include DNSSEC RR= s to > me. I agree. >> For academics living in Ivory towers, it is fine to declare that all >> copies of qmail, and any similar software, must be updated. > > "Academics living in Ivory towers". =A0Right. > > Good luck with your efforts to get DNS software writers to modify their > code. =A0I'm sure arguments like this will convince them. But here I don't - academics in ivory towers typically are not DNS software writers. Any standard that would lead to more (bonafide) mail being bounced will be frowned upon by anyone writing production software. So these arguments are in fact pretty convincing. Qmail is not large enough to merit us changing the DNS spec for it, but (let's say) Exchange would be. Should this working group think otherwise (which I doubt), it would be out of touch with reality. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 12:37:45 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78FF83A68A8; Wed, 20 May 2009 12:37:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.846 X-Spam-Level: X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[AWL=-0.351, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcXVPaM-iKn9; Wed, 20 May 2009 12:37:44 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 92DD13A6D24; Wed, 20 May 2009 12:37:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6rZb-0007z8-Iu for namedroppers-data0@psg.com; Wed, 20 May 2009 19:35:31 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6rZK-0007xK-1r for namedroppers@ops.ietf.org; Wed, 20 May 2009 19:35:25 +0000 Received: from [10.31.200.157] (ns.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4KJZ8Hn058835; Wed, 20 May 2009 15:35:09 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> Date: Wed, 20 May 2009 15:35:07 -0400 To: bert hubert From: Edward Lewis Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 21:15 +0200 5/20/09, bert hubert wrote: >...is not large >enough to merit us changing the DNS spec for it, but (let's say) >Exchange would be. > >Should this working group think otherwise (which I doubt), it would be >out of touch with reality. I think otherwise. In response to SiteFinder, it was said that DNS serves more than the web. Keep that in mind, because DNS serves more than email. The DNS protocol has to work equally well for all applications, for all kinds of zones. Tugging on it to appease one protocol may have negative implications for another protocol. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 14:26:45 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 829983A67DA; Wed, 20 May 2009 14:26:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.834 X-Spam-Level: X-Spam-Status: No, score=-4.834 tagged_above=-999 required=5 tests=[AWL=-0.397, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5i-M7LoMTQgm; Wed, 20 May 2009 14:26:44 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 799523A67A1; Wed, 20 May 2009 14:26:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6tFg-000IhZ-QM for namedroppers-data0@psg.com; Wed, 20 May 2009 21:23:04 +0000 Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6tFV-000Igk-9V for namedroppers@ops.ietf.org; Wed, 20 May 2009 21:22:58 +0000 Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 553B45B826C; Wed, 20 May 2009 14:22:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at virtualized.org Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9018scxupu6; Wed, 20 May 2009 14:22:50 -0700 (PDT) Received: from wlan39-215.mdr.icann.org (wlan39-215.mdr.icann.org [192.0.39.215]) by virtualized.org (Postfix) with ESMTP id 1B3155B825A; Wed, 20 May 2009 14:22:50 -0700 (PDT) Cc: George Barwood , bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org Message-Id: <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> From: David Conrad To: bert hubert In-Reply-To: <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Date: Wed, 20 May 2009 14:22:49 -0700 References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Bert, On May 20, 2009, at 12:15 PM, bert hubert wrote: > But here I don't - academics in ivory towers typically are not DNS > software writers. Indeed. In fact, I'd say making accusations along these lines make the discussion relatively pointless. > So these arguments are in fact pretty convincing. Qmail is not large > enough to merit us changing the DNS spec for it, but (let's say) > Exchange would be. I dunno. In this specific case, it seems to me that qmail is simply broken. If I understand correctly, it is making invalid assumptions (that ANY response is always < 512 bytes) and has no way to recover (since it doesn't support TCP fallback). The fact that DNSSEC responses are big has tickled this bug. If 3225 redefined ANY to not really be ANY, but rather ANY except for DNSSEC-related types unless DO was set, then it really means ANY, it would hide the bug, not fix it. As Mark Andrews points out, you can tickle the qmail bug with A RRs or AAAA RRs. Even if Exchange or Sendmail or any other MTA did this, I suspect the answer would be the same. > Should this working group think otherwise (which I doubt), it would be > out of touch with reality. So, for sake of argument, let's say Microsoft had released software that didn't conform to published standards, whereas numerous other vendors had implemented according to standard. You are arguing that the right course of action is to revise the standard to match Microsoft's non-standard implementation? In my experience, the IETF has taken the opposite view... Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 15:21:17 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B6E43A68B3; Wed, 20 May 2009 15:21:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.765 X-Spam-Level: **** X-Spam-Status: No, score=4.765 tagged_above=-999 required=5 tests=[AWL=0.870, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_BLUEYON=1.4, HELO_MISMATCH_UK=1.749, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbfYOJRo8qu2; Wed, 20 May 2009 15:21:16 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6E2973A6ED8; Wed, 20 May 2009 15:21:02 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6u6r-000Nje-0a for namedroppers-data0@psg.com; Wed, 20 May 2009 22:18:01 +0000 Received: from [195.188.213.5] (helo=smtp-out2.blueyonder.co.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6u6e-000Nic-W8 for namedroppers@ops.ietf.org; Wed, 20 May 2009 22:17:54 +0000 Received: from [172.23.170.147] (helo=anti-virus03-10) by smtp-out2.blueyonder.co.uk with smtp (Exim 4.52) id 1M6u6b-00058t-FI; Wed, 20 May 2009 23:17:45 +0100 Received: from [82.46.70.191] (helo=GeorgeLaptop) by asmtp-out4.blueyonder.co.uk with esmtpa (Exim 4.52) id 1M6u6V-0000Xh-TZ; Wed, 20 May 2009 23:17:39 +0100 Message-ID: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> From: "George Barwood" To: "David Conrad" , "bert hubert" Cc: , References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Date: Wed, 20 May 2009 23:17:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: RGF2aWQNCg0KU2VyaW91c2x5LCB3YXNuJ3QgdGhlIHB1cnBvc2Ugb2YgUkZDIDMyMjUgdG8gYWxs b3cgZGVwbG95bWVudCwgYXMgcGVyIHRoZSBhYnN0cmFjdCA6DQoNCiJJbiBvcmRlciB0byBkZXBs b3kgRE5TU0VDIChEb21haW4gTmFtZSBTeXN0ZW0gU2VjdXJpdHkgRXh0ZW5zaW9ucykNCiAgIG9w ZXJhdGlvbmFsbHksIEROU1NFQyBhd2FyZSBzZXJ2ZXJzIHNob3VsZCBvbmx5IHBlcmZvcm0gYXV0 b21hdGljDQogICBpbmNsdXNpb24gb2YgRE5TU0VDIFJScyB3aGVuIHRoZXJlIGlzIGFuIGV4cGxp Y2l0IGluZGljYXRpb24gdGhhdCB0aGUNCiAgIHJlc29sdmVyIGNhbiB1bmRlcnN0YW5kIHRob3Nl IFJScy4iDQoNCkkgZG9uJ3Qgc2VlIGhvdyBBTlkgY2FuIGJlIHRha2VuIGFzIGFuIGV4cGxpY2l0 IGluZGljaWF0aW9uIHRoYXQgdGhlIHJlc29sdmVyIHVuZGVyc3RhbmRzIEROU1NFQyBSUnMsDQp0 aGF0J3MgY2xlYXJseSBub3QgdGhlIGNhc2UsIHNvIHRoZXJlIGlzIGluY29uc2lzdGVuY3kuDQoN Ckkgbm90aWNlIHRoYXQgUkZDIDQwMzUsIHdoaWNoIHVwZGF0ZXMgMzIyNSBpcyBhbWJpZ3VvdXMg Og0KDQoiSWYgdGhlIERPIGJpdCBpbiBhbiBpbml0aWF0aW5nIHF1ZXJ5IGlzIG5vdCBzZXQsIHRo ZSBuYW1lIHNlcnZlciBzaWRlDQogICBNVVNUIHN0cmlwIGFueSBhdXRoZW50aWNhdGluZyBETlNT RUMgUlJzIGZyb20gdGhlIHJlc3BvbnNlIGJ1dCBNVVNUDQogICBOT1Qgc3RyaXAgYW55IEROU1NF QyBSUiB0eXBlcyB0aGF0IHRoZSBpbml0aWF0aW5nIHF1ZXJ5IGV4cGxpY2l0bHkNCiAgIHJlcXVl c3RlZC4iDQoNCnNpbmNlIGl0IGRvZXNuJ3QgZGVmaW5lICJleHBsaWNpdCIgKEFGQUlLKS4gVGhl IGRpY3Rpb25hcnkgc2F5cw0KDQoiZnVsbHkgYW5kIGNsZWFybHkgZXhwcmVzc2VkIG9yIGRlbW9u c3RyYXRlZDsgbGVhdmluZyBub3RoaW5nIG1lcmVseSBpbXBsaWVkOyB1bmVxdWl2b2NhbDsiDQoN ClJlZ2FyZHMsDQpHZW9yZ2UNCg0KLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0tLSANCkZyb206 ICJEYXZpZCBDb25yYWQiIDxkcmNAdmlydHVhbGl6ZWQub3JnPg0KVG86ICJiZXJ0IGh1YmVydCIg PGJlcnQuaHViZXJ0QGdtYWlsLmNvbT4NCkNjOiAiR2VvcmdlIEJhcndvb2QiIDxnZW9yZ2UuYmFy d29vZEBibHVleW9uZGVyLmNvLnVrPjsgPGJtYW5uaW5nQHZhY2F0aW9uLmthcm9zaGkuY29tPjsg PG5hbWVkcm9wcGVyc0BvcHMuaWV0Zi5vcmc+DQpTZW50OiBXZWRuZXNkYXksIE1heSAyMCwgMjAw OSAxMDoyMiBQTQ0KU3ViamVjdDogUmU6IFtkbnNleHRdIFF1ZXN0aW9uIG9uIFJGQyAzMjI1IC0g RE8gQml0IGFuZCBBTlkNCg0KDQo+IEJlcnQsDQo+IA0KPiBPbiBNYXkgMjAsIDIwMDksIGF0IDEy OjE1IFBNLCBiZXJ0IGh1YmVydCB3cm90ZToNCj4+IEJ1dCBoZXJlIEkgZG9uJ3QgLSBhY2FkZW1p Y3MgaW4gaXZvcnkgdG93ZXJzIHR5cGljYWxseSBhcmUgbm90IEROUw0KPj4gc29mdHdhcmUgd3Jp dGVycy4NCj4gDQo+IEluZGVlZC4gIEluIGZhY3QsIEknZCBzYXkgbWFraW5nIGFjY3VzYXRpb25z IGFsb25nIHRoZXNlIGxpbmVzIG1ha2UgIA0KPiB0aGUgZGlzY3Vzc2lvbiByZWxhdGl2ZWx5IHBv aW50bGVzcy4NCj4gDQo+PiBTbyB0aGVzZSBhcmd1bWVudHMgYXJlIGluIGZhY3QgcHJldHR5IGNv bnZpbmNpbmcuIFFtYWlsIGlzIG5vdCBsYXJnZQ0KPj4gZW5vdWdoIHRvIG1lcml0IHVzIGNoYW5n aW5nIHRoZSBETlMgc3BlYyBmb3IgaXQsIGJ1dCAobGV0J3Mgc2F5KQ0KPj4gRXhjaGFuZ2Ugd291 bGQgYmUuDQo+IA0KPiBJIGR1bm5vLiAgSW4gdGhpcyBzcGVjaWZpYyBjYXNlLCBpdCBzZWVtcyB0 byBtZSB0aGF0IHFtYWlsIGlzIHNpbXBseSAgDQo+IGJyb2tlbi4gIElmIEkgdW5kZXJzdGFuZCBj b3JyZWN0bHksIGl0IGlzIG1ha2luZyBpbnZhbGlkIGFzc3VtcHRpb25zICANCj4gKHRoYXQgQU5Z IHJlc3BvbnNlIGlzIGFsd2F5cyA8IDUxMiBieXRlcykgYW5kIGhhcyBubyB3YXkgdG8gcmVjb3Zl ciAgDQo+IChzaW5jZSBpdCBkb2Vzbid0IHN1cHBvcnQgVENQIGZhbGxiYWNrKS4gIFRoZSBmYWN0 IHRoYXQgRE5TU0VDICANCj4gcmVzcG9uc2VzIGFyZSBiaWcgaGFzIHRpY2tsZWQgdGhpcyBidWcu ICBJZiAzMjI1IHJlZGVmaW5lZCBBTlkgdG8gbm90ICANCj4gcmVhbGx5IGJlIEFOWSwgYnV0IHJh dGhlciBBTlkgZXhjZXB0IGZvciBETlNTRUMtcmVsYXRlZCB0eXBlcyB1bmxlc3MgIA0KPiBETyB3 YXMgc2V0LCB0aGVuIGl0IHJlYWxseSBtZWFucyBBTlksIGl0IHdvdWxkIGhpZGUgdGhlIGJ1Zywg bm90IGZpeCAgDQo+IGl0LiAgQXMgTWFyayBBbmRyZXdzIHBvaW50cyBvdXQsIHlvdSBjYW4gdGlj a2xlIHRoZSBxbWFpbCBidWcgd2l0aCBBICANCj4gUlJzIG9yIEFBQUEgUlJzLiAgRXZlbiBpZiBF eGNoYW5nZSBvciBTZW5kbWFpbCBvciBhbnkgb3RoZXIgTVRBIGRpZCAgDQo+IHRoaXMsIEkgc3Vz cGVjdCB0aGUgYW5zd2VyIHdvdWxkIGJlIHRoZSBzYW1lLg0KPiANCj4+IFNob3VsZCB0aGlzIHdv cmtpbmcgZ3JvdXAgdGhpbmsgb3RoZXJ3aXNlICh3aGljaCBJIGRvdWJ0KSwgaXQgd291bGQgYmUN Cj4+IG91dCBvZiB0b3VjaCB3aXRoIHJlYWxpdHkuDQo+IA0KPiBTbywgZm9yIHNha2Ugb2YgYXJn dW1lbnQsIGxldCdzIHNheSBNaWNyb3NvZnQgaGFkIHJlbGVhc2VkIHNvZnR3YXJlICANCj4gdGhh dCBkaWRuJ3QgY29uZm9ybSB0byBwdWJsaXNoZWQgc3RhbmRhcmRzLCB3aGVyZWFzIG51bWVyb3Vz IG90aGVyICANCj4gdmVuZG9ycyBoYWQgaW1wbGVtZW50ZWQgYWNjb3JkaW5nIHRvIHN0YW5kYXJk LiAgWW91IGFyZSBhcmd1aW5nIHRoYXQgIA0KPiB0aGUgcmlnaHQgY291cnNlIG9mIGFjdGlvbiBp cyB0byByZXZpc2UgdGhlIHN0YW5kYXJkIHRvIG1hdGNoICANCj4gTWljcm9zb2Z0J3Mgbm9uLXN0 YW5kYXJkIGltcGxlbWVudGF0aW9uPyAgSW4gbXkgZXhwZXJpZW5jZSwgdGhlIElFVEYgIA0KPiBo YXMgdGFrZW4gdGhlIG9wcG9zaXRlIHZpZXcuLi4NCj4gDQo+IFJlZ2FyZHMsDQo+IC1kcmMNCj4g DQo+ -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 15:35:11 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D02463A6C32; Wed, 20 May 2009 15:35:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.707 X-Spam-Level: X-Spam-Status: No, score=-4.707 tagged_above=-999 required=5 tests=[AWL=-0.212, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQ8vitJJsxm6; Wed, 20 May 2009 15:35:11 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E56FE3A6ED6; Wed, 20 May 2009 15:35:10 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6uLD-000P1e-Fe for namedroppers-data0@psg.com; Wed, 20 May 2009 22:32:51 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6uL0-000Oyr-3p for namedroppers@ops.ietf.org; Wed, 20 May 2009 22:32:45 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4KMUO3s019213; Wed, 20 May 2009 22:30:27 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4KMUOAO019212; Wed, 20 May 2009 22:30:24 GMT Date: Wed, 20 May 2009 22:30:24 +0000 From: bmanning@vacation.karoshi.com To: Paul Vixie Cc: bmanning@vacation.karoshi.com, David Conrad , George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <20090520223024.GA19073@vacation.karoshi.com.> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <31495.1242832167@nsa.vix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <31495.1242832167@nsa.vix.com> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, May 20, 2009 at 03:09:27PM +0000, Paul Vixie wrote: > > Date: Wed, 20 May 2009 10:18:49 +0000 > > From: bmanning@vacation.karoshi.com > > ... > > imho, tweeking the DNS to accomodate another applications > > short sighted behaviour is wrong. in that light, ANY should > > be retained (not exterminated as Mark Andrews seems to call for) > > and application developers who wish to use data from the DNS > > SHOULD adopt a "Trust but Verify" mentality. > > queries for ANY, for NS and SOA, and for CNAME, are all diagnostic-only. > if an application is making such a query, that application is confused. perhaps you mean -most- applications are confused. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 16:19:00 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE8293A6F0D; Wed, 20 May 2009 16:19:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.386 X-Spam-Level: X-Spam-Status: No, score=-2.386 tagged_above=-999 required=5 tests=[AWL=0.213, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Jqc1NGk6zTt; Wed, 20 May 2009 16:19:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EE2353A6EF4; Wed, 20 May 2009 16:18:59 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6v1r-0002wy-Bw for namedroppers-data0@psg.com; Wed, 20 May 2009 23:16:55 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6v1e-0002w0-BZ for namedroppers@ops.ietf.org; Wed, 20 May 2009 23:16:48 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id E591EA2B09; Wed, 20 May 2009 23:16:41 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: bmanning@vacation.karoshi.com cc: David Conrad , George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Wed, 20 May 2009 22:30:24 GMT." <20090520223024.GA19073@vacation.karoshi.com.> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <31495.1242832167@nsa.vix.com> <20090520223024.GA19073@vacation.karoshi.com.> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Wed, 20 May 2009 23:16:41 +0000 Message-ID: <62514.1242861401@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > > queries for ANY, for NS and SOA, and for CNAME, are all diagnostic-only. > > if an application is making such a query, that application is confused. > > perhaps you mean -most- applications are confused. i'm talking specifically about stubs, not server to server. if an app is asking CNAME or ANY questions, through a stub, it's for diagnostic purposes. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 16:42:11 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E06B3A6957; Wed, 20 May 2009 16:42:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.54 X-Spam-Level: X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECIR-e--Ji5Z; Wed, 20 May 2009 16:42:10 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7A7183A6873; Wed, 20 May 2009 16:42:10 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6vNt-00056C-0L for namedroppers-data0@psg.com; Wed, 20 May 2009 23:39:41 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6vNe-00052y-4m for namedroppers@ops.ietf.org; Wed, 20 May 2009 23:39:33 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 4B3C6E602F; Wed, 20 May 2009 23:39:25 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4KNdNHm061471; Thu, 21 May 2009 09:39:23 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905202339.n4KNdNHm061471@drugs.dv.isc.org> To: Paul Vixie Cc: bmanning@vacation.karoshi.com, David Conrad , George Barwood , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Wed, 20 May 2009 23:16:41 GMT." <62514.1242861401@nsa.vix.com> Date: Thu, 21 May 2009 09:39:23 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <62514.1242861401@nsa.vix.com>, Paul Vixie writes: > > > queries for ANY, for NS and SOA, and for CNAME, are all diagnostic-only. > > > if an application is making such a query, that application is confused. > > > > perhaps you mean -most- applications are confused. > > i'm talking specifically about stubs, not server to server. if an app is > asking CNAME or ANY questions, through a stub, it's for diagnostic purposes. res_findzonecut() uses SOA queries to discover the zone cuts. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 17:21:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A7EE3A6902; Wed, 20 May 2009 17:21:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.544 X-Spam-Level: X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ifXGvffANUDy; Wed, 20 May 2009 17:21:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8A9A93A6A18; Wed, 20 May 2009 17:21:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6vzT-0008mx-2i for namedroppers-data0@psg.com; Thu, 21 May 2009 00:18:31 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6vzD-0008m6-JU for namedroppers@ops.ietf.org; Thu, 21 May 2009 00:18:22 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 8FA87E602F; Thu, 21 May 2009 00:18:14 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4L0I8M6062002; Thu, 21 May 2009 10:18:09 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905210018.n4L0I8M6062002@drugs.dv.isc.org> To: Paul Hoffman Cc: Thierry Moreau , bert hubert , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: dropping request for adoption of EDNS-PING, was Re: [dnsext] Point of order In-reply-to: Your message of "Wed, 20 May 2009 07:57:45 MST." Date: Thu, 21 May 2009 10:18:08 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > This feels like FUD. I have looked at the process, and it almost always > works. Do you have examples in the DNS space where it has failed? RFC 4431 ( DLV record) was a independent submission that would have been more controversial than EDNS-PING if it had been taken to the WG. The RFC Editor's expert rejected it on review*. I then found a AD to sponsor it and then I needed to explain to the IESG that this was actually only a mechanism to publish a collection of trust anchors and such collections were a expected part of the DNSSEC operations. Mark * there is no appeal process for this decision. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 18:26:38 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECFDA3A6B9B; Wed, 20 May 2009 18:26:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.394 X-Spam-Level: X-Spam-Status: No, score=-2.394 tagged_above=-999 required=5 tests=[AWL=0.205, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQt1xbV8Se2e; Wed, 20 May 2009 18:26:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 238E83A6A4A; Wed, 20 May 2009 18:26:38 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6wyT-000F0z-RS for namedroppers-data0@psg.com; Thu, 21 May 2009 01:21:33 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6wyG-000EzX-S6 for namedroppers@ops.ietf.org; Thu, 21 May 2009 01:21:27 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 63D5BA2B34; Thu, 21 May 2009 01:21:20 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Mark Andrews cc: bmanning@vacation.karoshi.com, David Conrad , George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Thu, 21 May 2009 09:39:23 +1000." <200905202339.n4KNdNHm061471@drugs.dv.isc.org> References: <200905202339.n4KNdNHm061471@drugs.dv.isc.org> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Thu, 21 May 2009 01:21:20 +0000 Message-ID: <67353.1242868880@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > > i'm talking specifically about stubs, not server to server. if an app > > is asking CNAME or ANY questions, through a stub, it's for diagnostic > > purposes. > > res_findzonecut() uses SOA queries to discover the zone cuts. good one. any others? -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 19:02:56 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F5D63A6B95; Wed, 20 May 2009 19:02:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.703 X-Spam-Level: X-Spam-Status: No, score=-4.703 tagged_above=-999 required=5 tests=[AWL=-0.208, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oj+iGbW7gvYo; Wed, 20 May 2009 19:02:55 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 825D93A6AD3; Wed, 20 May 2009 19:02:55 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6xYG-000IXU-Hi for namedroppers-data0@psg.com; Thu, 21 May 2009 01:58:32 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6xY3-000IWS-8Q for namedroppers@ops.ietf.org; Thu, 21 May 2009 01:58:26 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4L1u83s020561; Thu, 21 May 2009 01:56:08 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4L1u8sT020560; Thu, 21 May 2009 01:56:08 GMT Date: Thu, 21 May 2009 01:56:08 +0000 From: bmanning@vacation.karoshi.com To: Paul Vixie Cc: bmanning@vacation.karoshi.com, David Conrad , George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <20090521015608.GA20476@vacation.karoshi.com.> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <31495.1242832167@nsa.vix.com> <20090520223024.GA19073@vacation.karoshi.com.> <62514.1242861401@nsa.vix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <62514.1242861401@nsa.vix.com> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, May 20, 2009 at 11:16:41PM +0000, Paul Vixie wrote: > > > queries for ANY, for NS and SOA, and for CNAME, are all diagnostic-only. > > > if an application is making such a query, that application is confused. > > > > perhaps you mean -most- applications are confused. > > i'm talking specifically about stubs, not server to server. if an app is > asking CNAME or ANY questions, through a stub, it's for diagnostic purposes. and such an application is thereby -not- confused, but is doing what it was designed to do. the heartburn here is that folks who have written applications that pull data out of the DNS have been lazy and punted to "get everthing" aka ANY, w/o an understanding of what that ment, and while it worked for the most part, the underlaying protocol has changed what it means to "get everything" ... and instead of fixing the apps (or letting the orphans die a natural death) a few folks want the DNS protocol jocks to mod the protocol for their particular borked, EOL application. Ed said it better than me. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 19:31:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A0C7A3A6819; Wed, 20 May 2009 19:31:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.547 X-Spam-Level: X-Spam-Status: No, score=-2.547 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E+vkWYf-Z9AT; Wed, 20 May 2009 19:31:35 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 888FE3A6866; Wed, 20 May 2009 19:31:35 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6y1D-000LEr-5w for namedroppers-data0@psg.com; Thu, 21 May 2009 02:28:27 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6y0u-000LDf-Uq for namedroppers@ops.ietf.org; Thu, 21 May 2009 02:28:20 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 1564FE601C; Thu, 21 May 2009 02:28:07 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4L2S55R064036; Thu, 21 May 2009 12:28:05 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905210228.n4L2S55R064036@drugs.dv.isc.org> To: bmanning@vacation.karoshi.com Cc: Paul Vixie , David Conrad , George Barwood , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Thu, 21 May 2009 01:56:08 GMT." <20090521015608.GA20476@vacation.karoshi.com.> Date: Thu, 21 May 2009 12:28:05 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <20090521015608.GA20476@vacation.karoshi.com.>, bmanning@vacation.karoshi.com writes: > On Wed, May 20, 2009 at 11:16:41PM +0000, Paul Vixie wrote: > > > > queries for ANY, for NS and SOA, and for CNAME, are all diagnostic-only. > > > > if an application is making such a query, that application is confused. > > > > > > perhaps you mean -most- applications are confused. > > > > i'm talking specifically about stubs, not server to server. if an app is > > asking CNAME or ANY questions, through a stub, it's for diagnostic purposes. > > and such an application is thereby -not- confused, but is doing > what it was designed to do. > > the heartburn here is that folks who have written applications that > pull data out of the DNS have been lazy and punted to "get everthing" > aka ANY, w/o an understanding of what that ment, and while it worked > for the most part, the underlaying protocol has changed what it means > to "get everything" ... and instead of fixing the apps (or letting the > orphans die a natural death) a few folks want the DNS protocol jocks > to mod the protocol for their particular borked, EOL application. > > Ed said it better than me. From a protocol perspective nothing has changed. ANY still means ANY. There is just a data volume change over time. > --bill > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 20:07:59 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D7D23A6F29; Wed, 20 May 2009 20:07:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.699 X-Spam-Level: X-Spam-Status: No, score=-4.699 tagged_above=-999 required=5 tests=[AWL=-0.204, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ky7K7XSwQ5ct; Wed, 20 May 2009 20:07:58 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 877F23A6F20; Wed, 20 May 2009 20:07:58 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6yYu-000OiY-GP for namedroppers-data0@psg.com; Thu, 21 May 2009 03:03:16 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6yYh-000Ohf-D5 for namedroppers@ops.ietf.org; Thu, 21 May 2009 03:03:09 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4L30l3s021034; Thu, 21 May 2009 03:00:47 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4L30lb4021033; Thu, 21 May 2009 03:00:47 GMT Date: Thu, 21 May 2009 03:00:47 +0000 From: bmanning@vacation.karoshi.com To: Mark Andrews Cc: bmanning@vacation.karoshi.com, Paul Vixie , David Conrad , George Barwood , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <20090521030047.GA20996@vacation.karoshi.com.> References: <20090521015608.GA20476@vacation.karoshi.com.> <200905210228.n4L2S55R064036@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200905210228.n4L2S55R064036@drugs.dv.isc.org> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 12:28:05PM +1000, Mark Andrews wrote: > > In message <20090521015608.GA20476@vacation.karoshi.com.>, bmanning@vacation.karoshi.com writes: > > On Wed, May 20, 2009 at 11:16:41PM +0000, Paul Vixie wrote: > > > > > queries for ANY, for NS and SOA, and for CNAME, are all diagnostic-only. > > > > > if an application is making such a query, that application is confused. > > > > > > > > perhaps you mean -most- applications are confused. > > > > > > i'm talking specifically about stubs, not server to server. if an app is > > > asking CNAME or ANY questions, through a stub, it's for diagnostic purposes. > > > > and such an application is thereby -not- confused, but is doing > > what it was designed to do. > > > > the heartburn here is that folks who have written applications that > > pull data out of the DNS have been lazy and punted to "get everthing" > > aka ANY, w/o an understanding of what that ment, and while it worked > > for the most part, the underlaying protocol has changed what it means > > to "get everything" ... and instead of fixing the apps (or letting the > > orphans die a natural death) a few folks want the DNS protocol jocks > > to mod the protocol for their particular borked, EOL application. > > > > Ed said it better than me. > > From a protocol perspective nothing has changed. ANY still > means ANY. There is just a data volume change over time. no problem then.. however, I saw this posting, which suggests some would contemplate a protocol change (removing ANY).. Date: Wed, 20 May 2009 11:35:01 +1000 ANY queries are a bad idea and should be stomped on with extreme prejudice. --bill > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 20:20:34 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A0D028C0E7; Wed, 20 May 2009 20:20:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.55 X-Spam-Level: X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnwfpORF3dTQ; Wed, 20 May 2009 20:20:33 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0FE3C28C0E0; Wed, 20 May 2009 20:20:33 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6yn3-0000Gf-IS for namedroppers-data0@psg.com; Thu, 21 May 2009 03:17:53 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6yml-0000Cx-2C for namedroppers@ops.ietf.org; Thu, 21 May 2009 03:17:47 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id E3226E601C; Thu, 21 May 2009 03:17:33 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4L3HVl6074544; Thu, 21 May 2009 13:17:31 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905210317.n4L3HVl6074544@drugs.dv.isc.org> To: bmanning@vacation.karoshi.com Cc: Paul Vixie , David Conrad , George Barwood , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Thu, 21 May 2009 03:00:47 GMT." <20090521030047.GA20996@vacation.karoshi.com.> Date: Thu, 21 May 2009 13:17:31 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <20090521030047.GA20996@vacation.karoshi.com.>, bmanning@vacation.ka roshi.com writes: > On Thu, May 21, 2009 at 12:28:05PM +1000, Mark Andrews wrote: > > > > In message <20090521015608.GA20476@vacation.karoshi.com.>, bmanning@vacatio > n.karoshi.com writes: > > > On Wed, May 20, 2009 at 11:16:41PM +0000, Paul Vixie wrote: > > > > > > queries for ANY, for NS and SOA, and for CNAME, are all diagnostic- > only. > > > > > > if an application is making such a query, that application is confu > sed. > > > > > > > > > > perhaps you mean -most- applications are confused. > > > > > > > > i'm talking specifically about stubs, not server to server. if an app > is > > > > asking CNAME or ANY questions, through a stub, it's for diagnostic purp > oses. > > > > > > and such an application is thereby -not- confused, but is doing > > > what it was designed to do. > > > > > > the heartburn here is that folks who have written applications that > > > pull data out of the DNS have been lazy and punted to "get everthing" > > > aka ANY, w/o an understanding of what that ment, and while it worked > > > for the most part, the underlaying protocol has changed what it means > > > to "get everything" ... and instead of fixing the apps (or letting the > > > orphans die a natural death) a few folks want the DNS protocol jocks > > > to mod the protocol for their particular borked, EOL application. > > > > > > Ed said it better than me. > > > > From a protocol perspective nothing has changed. ANY still > > means ANY. There is just a data volume change over time. > > no problem then.. however, I saw this posting, which suggests some woul > d contemplate > a protocol change (removing ANY).. > > Date: Wed, 20 May 2009 11:35:01 +1000 > > ANY queries are a bad idea and should be stomped on with extreme prej > udice. They should be. ANY queries just make the applications more fragile. If the application need a type it still has to have code to explicity query for it if that type if it is not returned. Some people think ANY queries will speed up the processing but they can also slow up processing as you may still need to do all the explicit queries. Mark > --bill > > > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Wed May 20 21:52:02 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A0AA03A68CE; Wed, 20 May 2009 21:52:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.437 X-Spam-Level: X-Spam-Status: No, score=-4.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HS2CzugIZfup; Wed, 20 May 2009 21:52:01 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A9C103A68DE; Wed, 20 May 2009 21:52:01 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M70Cc-0008wf-JS for namedroppers-data0@psg.com; Thu, 21 May 2009 04:48:22 +0000 Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M70CQ-0008vr-8E for namedroppers@ops.ietf.org; Thu, 21 May 2009 04:48:16 +0000 Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id A0AD45B9D22; Wed, 20 May 2009 21:48:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at virtualized.org Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jv6Ud0WoAVtL; Wed, 20 May 2009 21:48:08 -0700 (PDT) Received: from [192.168.1.109] (pool-71-105-76-217.lsanca.dsl-w.verizon.net [71.105.76.217]) by virtualized.org (Postfix) with ESMTP id A9A5A5B9D15; Wed, 20 May 2009 21:48:07 -0700 (PDT) From: David Conrad To: George Barwood In-Reply-To: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY X-Priority: 3 References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> Message-Id: <26ED6020-A2EE-469F-BD87-ABE95EAF8F80@virtualized.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Wed, 20 May 2009 21:48:02 -0700 Cc: "bert hubert" , , X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: George, On May 20, 2009, at 3:17 PM, George Barwood wrote: > I don't see how ANY can be taken as an explicit indiciation that the > resolver understands DNSSEC RRs, > that's clearly not the case, so there is inconsistency. As I said before, your opinion differs from the consensus of the working group at the time. It's really quite simple: ANY was taken as meaning 'any'. Not 'some'. Not 'only the old stuff'. Any. Including DNSSEC RRs. I'm sorry you consider it inconsistent, but I won't bother arguing since it's actually irrelevant. As far as I can tell, the reality today is that it appears exceedingly unlikely folks are going to hack their name servers in order to allow a decade plus old MTA that would appear to be broken out of the box to continue to limp along. As more zones get signed, the folks that run those unpatched MTAs will increasingly see the bogus error message and either apply the patch to allow the MTA to deal with large responses (DNSSEC or not) or upgrade to a modern MTA. It is, of course, possible that some folks like (presumably) yourself won't sign their zones fearing the < 6% of MTAs (I wonder how many of those are unpatched) that might not be able to send mail to them. That would be unfortunate, but I am somewhat skeptical that this would be sufficient mass to force DNS software vendors to modify their code. Maybe I'm wrong. Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 02:48:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D425128C10F; Thu, 21 May 2009 02:48:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.746 X-Spam-Level: X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUfeNmTGA6zJ; Thu, 21 May 2009 02:48:41 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1C8E428C0EA; Thu, 21 May 2009 02:48:41 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M74qw-000DZK-Ou for namedroppers-data0@psg.com; Thu, 21 May 2009 09:46:18 +0000 Received: from [195.1.209.33] (helo=bizet.nethelp.no) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M74qj-000DXr-UA for namedroppers@ops.ietf.org; Thu, 21 May 2009 09:46:12 +0000 Received: (qmail 3136 invoked from network); 21 May 2009 09:46:04 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 21 May 2009 09:46:04 -0000 Date: Thu, 21 May 2009 11:46:04 +0200 (CEST) Message-Id: <20090521.114604.74662153.sthaug@nethelp.no> To: george.barwood@blueyonder.co.uk Cc: drc@virtualized.org, bert.hubert@gmail.com, bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: sthaug@nethelp.no In-Reply-To: <59F3BDD0AE0B454991154F1F4BC901FE@localhost> References: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> <26ED6020-A2EE-469F-BD87-ABE95EAF8F80@virtualized.org> <59F3BDD0AE0B454991154F1F4BC901FE@localhost> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > My purpose here is not to predict the future, but to flag the (potential) problem, > and also to safeguard my job my not installing something that may cause some > email to bounce. Then you should use a different mail system than qmail. Unpatched qmail has problems *today*, without DNSSEC. Steinar Haug, Nethelp consulting, sthaug@nethelp.no -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 03:03:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D77AF28C112; Thu, 21 May 2009 03:03:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.682 X-Spam-Level: X-Spam-Status: No, score=-1.682 tagged_above=-999 required=5 tests=[AWL=-0.634, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWZwGiGL1SeQ; Thu, 21 May 2009 03:03:41 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 18A783A6ED8; Thu, 21 May 2009 03:03:41 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M755d-000F3p-HR for namedroppers-data0@psg.com; Thu, 21 May 2009 10:01:29 +0000 Received: from [195.1.209.33] (helo=bizet.nethelp.no) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M755R-000F20-1S for namedroppers@ops.ietf.org; Thu, 21 May 2009 10:01:23 +0000 Received: (qmail 6969 invoked from network); 21 May 2009 10:01:15 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 21 May 2009 10:01:15 -0000 Date: Thu, 21 May 2009 12:01:15 +0200 (CEST) Message-Id: <20090521.120115.41719586.sthaug@nethelp.no> To: george.barwood@blueyonder.co.uk Cc: drc@virtualized.org, bert.hubert@gmail.com, bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: sthaug@nethelp.no In-Reply-To: References: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> <26ED6020-A2EE-469F-BD87-ABE95EAF8F80@virtualized.org> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > What will happen is that soon after installing DNSSEC and signing a zone, > email will start to bounce, the DNS operator will be notified of the problem > ( after much head scratching ) and DNSSEC will be uninstalled until the > problem can be fixed. On the basis of once-bitten, twice shy, the deployment > attempt may be abandoned permanently ( "DNSSEC is too much trouble" ). No. Any qmail installation today which sees a significant volume of traffic to and from the Internet either *already* has problems (which are not due to DNSSEC), or has installed the necessary qmail patches. If you google for "qmail patch dns" the very first entry says "Big DNS patch for qmail", and is from 1998. DNSSEC does not create any new problems for qmail. Steinar Haug, Nethelp consulting, sthaug@nethelp.no -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 04:46:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 83ECB3A6C96; Thu, 21 May 2009 04:46:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.695 X-Spam-Level: X-Spam-Status: No, score=-4.695 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWiWEhRlHvuO; Thu, 21 May 2009 04:46:14 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2A5B23A6BF7; Thu, 21 May 2009 04:45:46 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M76fo-0000QG-BM for namedroppers-data0@psg.com; Thu, 21 May 2009 11:42:56 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M76fc-0000PL-Ja for namedroppers@ops.ietf.org; Thu, 21 May 2009 11:42:50 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4LBfT3s024949; Thu, 21 May 2009 11:41:29 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4LBfTPQ024948; Thu, 21 May 2009 11:41:29 GMT Date: Thu, 21 May 2009 11:41:29 +0000 From: bmanning@vacation.karoshi.com To: George Barwood Cc: sthaug@nethelp.no, drc@virtualized.org, bert.hubert@gmail.com, bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <20090521114129.GA24871@vacation.karoshi.com.> References: <20090521.114604.74662153.sthaug@nethelp.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 12:05:29PM +0100, George Barwood wrote: > ----- Original Message ----- > From: > To: > Cc: ; ; ; > Sent: Thursday, May 21, 2009 10:46 AM > Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY > > > >> My purpose here is not to predict the future, but to flag the (potential) problem, > >> and also to safeguard my job my not installing something that may cause some > >> email to bounce. > > > > Then you should use a different mail system than qmail. Unpatched qmail > > has problems *today*, without DNSSEC. > > I don't use qmail, the problem is that I still want to receive email from people who are using it, > including those who have not updated their systems since 1990, or who are using derivative software, > or ..... a million other possibilities, which I have zero control over. Can't fault you for wanting to support "long-tail" ... If I may, how long are you willing to wait for folks to catch up? As a data point, I find there remains little community sympathy for my use of BIND 4.9.x code... or sendmail 5x. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 04:56:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBAE53A6D42; Thu, 21 May 2009 04:56:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.788 X-Spam-Level: * X-Spam-Status: No, score=1.788 tagged_above=-999 required=5 tests=[AWL=-0.859, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_RU=0.595, HELO_MISMATCH_RU=3.1, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2s-8bkBL7S1; Thu, 21 May 2009 04:56:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 99CE73A6EE1; Thu, 21 May 2009 04:56:03 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M76qY-000267-6e for namedroppers-data0@psg.com; Thu, 21 May 2009 11:54:02 +0000 Received: from [87.245.158.60] (helo=mx.cryptocom.ru) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M76qL-00024O-LE for namedroppers@ops.ietf.org; Thu, 21 May 2009 11:53:55 +0000 Received: from localhost (localhost [127.0.0.1]) by mx.cryptocom.ru (Postfix) with ESMTP id 1AFA33EC14; Thu, 21 May 2009 15:53:48 +0400 (MSD) X-Virus-Scanned: Debian amavisd-new at cryptocom.ru Received: from mx.cryptocom.ru ([127.0.0.1]) by localhost (mx.cryptocom.ru [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Q2MaRyD2SviT; Thu, 21 May 2009 15:53:47 +0400 (MSD) Received: from [10.51.22.241] (reedcat.lan.cryptocom.ru [10.51.22.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.cryptocom.ru (Postfix) with ESMTP id D04193EC0E; Thu, 21 May 2009 15:53:37 +0400 (MSD) Message-ID: <4A1540C1.4000603@cryptocom.ru> Date: Thu, 21 May 2009 15:53:37 +0400 From: Basil Dolmatov User-Agent: Thunderbird 2.0.0.21 (X11/20090409) MIME-Version: 1.0 To: George Barwood CC: sthaug@nethelp.no, drc@virtualized.org, bert.hubert@gmail.com, bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY References: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost><26ED6020-A2EE-469F-BD87-ABE95EAF8F80@virtualized.org><59F3BDD0AE0B454991154F1F4BC901FE@localhost> <20090521.114604.74662153.sthaug@nethelp.no> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: George Barwood пишет: > > I don't use qmail, the problem is that I still want to receive email from people who are using it, > including those who have not updated their systems since 1990, or > who are using derivative software, Plesk, for instance, is still widely used on hosting platforms and contains deeply-frozen qmail inside as main mail agent. dol@ -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 06:50:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5CEEA3A6AB1; Thu, 21 May 2009 06:50:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.428 X-Spam-Level: X-Spam-Status: No, score=-2.428 tagged_above=-999 required=5 tests=[AWL=-0.129, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FfXgncJ+p36B; Thu, 21 May 2009 06:50:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 649FC3A69D8; Thu, 21 May 2009 06:50:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M78ao-000G5p-5R for namedroppers-data0@psg.com; Thu, 21 May 2009 13:45:54 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M78aR-000G1d-F9 for namedroppers@ops.ietf.org; Thu, 21 May 2009 13:45:47 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n4LDjQhb087760; Thu, 21 May 2009 15:45:26 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905211345.n4LDjQhb087760@givry.fdupont.fr> From: Francis Dupont To: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair cc: Florian Weimer , namedroppers@ops.ietf.org Subject: Re: [dnsext] Increasing hash collision resilience In-reply-to: Your message of Mon, 18 May 2009 12:41:36 EDT. <200905181642.n4IGg5tw027927@stora.ogud.com> Date: Thu, 21 May 2009 15:45:25 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: Is it time to change the status of SHA-1 in the registry from "MANDATORY" to "Not recommended" or "Obsolete"? http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml => as the requirement is about implementation "OPTIONAL" should be enough. But if one believes it is the right time to introduce a requirement about usage then "not recommended" seems right. We need an RFC do make that change. => looking for an editor (:-)? Regards Francis.Dupont@fdupont.fr PS: note the document should specify implementations SHOULD provide a (per-domain) configuration flag to refuse SHA-1 only DS RRsets. PPS: we should check too if deployed DNSSEC implementations support SHA-256 DS RRs (IMHO it is the case but it is an opinion, not the result of some research/poll/etc). -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 07:52:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 40CDF3A6C5C; Thu, 21 May 2009 07:52:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.768 X-Spam-Level: X-Spam-Status: No, score=-4.768 tagged_above=-999 required=5 tests=[AWL=-0.331, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wrv3gyzPdBPQ; Thu, 21 May 2009 07:52:18 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 455F73A69D8; Thu, 21 May 2009 07:52:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M79Yr-000NkC-BP for namedroppers-data0@psg.com; Thu, 21 May 2009 14:47:57 +0000 Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M79Yf-000NjP-Is for namedroppers@ops.ietf.org; Thu, 21 May 2009 14:47:51 +0000 Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id D7C515BBE7A; Thu, 21 May 2009 07:47:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at virtualized.org Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PPZjm5s5mg19; Thu, 21 May 2009 07:47:38 -0700 (PDT) Received: from wlan39-215.mdr.icann.org (wlan39-215.mdr.icann.org [192.0.39.215]) by virtualized.org (Postfix) with ESMTP id 32D885BBE6C; Thu, 21 May 2009 07:47:38 -0700 (PDT) Cc: namedroppers@ops.ietf.org Message-Id: <87C9F8BC-21DB-47A1-9071-5F1BEEEAC4A3@virtualized.org> From: David Conrad To: Basil Dolmatov In-Reply-To: <4A1540C1.4000603@cryptocom.ru> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Date: Thu, 21 May 2009 07:47:37 -0700 References: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost><26ED6020-A2EE-469F-BD87-ABE95EAF8F80@virtualized.org><59F3BDD0AE0B454991154F1F4BC901FE@localhost> <20090521.114604.74662153.sthaug@nethelp.no> <4A1540C1.4000603@cryptocom.ru> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 21, 2009, at 4:53 AM, Basil Dolmatov wrote: > Plesk, for instance, is still widely used on hosting platforms and > contains deeply-frozen qmail inside as main mail agent. And that deeply-frozen qmail hasn't been modified to deal with large responses? Regards, -drc -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 07:59:23 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B46AA3A6F70; Thu, 21 May 2009 07:59:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.625 X-Spam-Level: X-Spam-Status: No, score=-99.625 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zrm+tcaiPi+Q; Thu, 21 May 2009 07:59:22 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5E75C3A6A3D; Thu, 21 May 2009 07:59:22 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M79go-000OdA-4S for namedroppers-data0@psg.com; Thu, 21 May 2009 14:56:10 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M79ga-000Obt-Tj for namedroppers@ops.ietf.org; Thu, 21 May 2009 14:56:03 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4LEttr0068402 for ; Thu, 21 May 2009 10:55:55 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4LEttOY068401 for namedroppers@ops.ietf.org; Thu, 21 May 2009 10:55:55 -0400 (EDT) (envelope-from namedroppers) Received: from [137.65.248.137] (helo=sinclair.provo.novell.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M6pMf-000JhN-Gr; Wed, 20 May 2009 17:14:07 +0000 Received: from INET-PRV-MTA by sinclair.provo.novell.com with Novell_GroupWise; Wed, 20 May 2009 11:13:58 -0600 Message-Id: <4A14021302000005001E108A@sinclair.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 7.0.3 Date: Wed, 20 May 2009 11:13:55 -0600 From: "Federico Lucifredi" To: , , Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm References: <4A14021302000005001E1087@sinclair.provo.novell.com> <4A14021302000005001E108A@sinclair.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] I would support #3 for further study. Best-F ------Original Message------ From: =D3lafur Gu=F0mundsson /DNSEXT chair Sender: owner-namedroppers@ops.ietf.org To: namedroppers@ops.ietf.org Sent: May 20, 2009 11:17 Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm With less than one day left before the chairs need to make a determination.= The purpose of this message is to point out that the discussion has possibly been derailed by heated arguments about the merits of a subset of = the options, at the detriment of other options. At this point we have enough support to say EDNS0 Ping is acceptable for further study, even though there is a large number detractors. (option #4) It is close call for option #3 x20 There is no public support for option #2, and no one has argued for option = #1. If you are in favor of options #1, #2 or #5 now is the time to speak up. As an experiment I have set up a poll for the different options, http://www.doodle.com/7yvife73qvwtnr5m Feel free to post to namedroppers or participate in the pool. When you participate in the poll use a name that I can correlate to a namedroppers subscription i.e. no AB or BA names. thanks Olafur Olafur At 14:14 08/05/2009, Andrew Sullivan wrote: >Dear colleagues, > >Your Chairs have been observing the discussion around adoption of >various drafts for techniques to mitigate forgeries and cache >poisoning. It appears to us that the WG is not converging on >consensus. > >We currently have a request open to adopt EDNS0 ping. The discussion >of adopting the document appeared to expose a fault in the community, >where some expressed strong opposition to undertaking any further forgery >resilience work when DNSSEC is already available, while others argued >that DNSSEC is not getting deployed and therefore we need other urgent >action. > >Meanwhile, some other mechanisms, including "0x20" and those outlined >in draft-wijngaards-dnsext-resolver-side-mitigation-01.txt seem to be >showing up in various implementations. > >We think it would be better if we came to some more or less shared >agreement on what to do in this space (including nothing). The >portion of the meeting we had in Dublin that was dedicated to this >topic seems not to have inspired consensus. Therefore, we would like >to present five options for consideration: > >1. Do nothing, and take all energy that might be devoted to this >effort and direct it towards DNSSEC deployment. > >2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and >include in it recommendations to do nothing else except what that >document contains. Remove from section 3 any strategies we do not >want to adopt. (Note that this latter condition entails decisions >about the next two options.) > >3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps >this gets included in that document, or perhaps it proceeds as part of >a set of documents. Let's leave the editorial process issues out of >the discussion, and just focus on whether we want to include this >strategy in the tool box. > >4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this >might be included as part of (2) or processed individually, but that >doesn't matter. > >5. Officially adopt nothing, but support (2) and (3) going ahead as >individual submissions on the Informational track. (2) would >obviously need to be modified slightly to keep out any protocol items >that might be entailed. The reason (4) can't just go ahead on the >individual track is that the assignment of an EDNS0 code point >requires standards action, so the work would come back here anyway. > >We will plan to request a meeting session in Stockholm to discuss this >issue (and possibly some other topics before us). If the WG can come >to a clear consensus on-list before then (and we have no other >business), then obviously we will be in a position to cancel the >Stockholm session. If we have not come to a conclusion by 20 May, we >will keep the session scheduled. > >In the absence of strong arguments in favour of action and at least an >apparently broad constituency to do the work within the WG, the Chairs >are inclined to take option (1), because the WG is supposed to be >sleeping. This is by no means to say that we are prejudiced in favour >of that option. It is rather to say that we are procedurally bound, >by our charter, to a default of "No" for at least some of these >documents. Adding a new standards-track item to the WG work requires >rechartering, please note, and given one other request we have open we >may therefore need to recharter anyway. > >Best regards, > >Olafur and Andrew > >-- >Andrew Sullivan >ajs@shinkuro.com >Shinkuro, Inc. > >-- >to unsubscribe send a message to namedroppers-request@ops.ietf.org with >the word 'unsubscribe' in a single line as the message text body. >archive: -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: =20 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 08:01:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 102CF3A6DAF; Thu, 21 May 2009 08:01:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.21 X-Spam-Level: X-Spam-Status: No, score=-0.21 tagged_above=-999 required=5 tests=[AWL=-0.337, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTPfb9PeUY7q; Thu, 21 May 2009 08:01:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9D17C3A6FAF; Thu, 21 May 2009 08:00:45 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M79id-000Onn-RC for namedroppers-data0@psg.com; Thu, 21 May 2009 14:58:03 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M79iR-000Omm-GW for namedroppers@ops.ietf.org; Thu, 21 May 2009 14:57:57 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4LEvmCK068414 for ; Thu, 21 May 2009 10:57:48 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4LEvmwe068413 for namedroppers@ops.ietf.org; Thu, 21 May 2009 10:57:48 -0400 (EDT) (envelope-from namedroppers) Received: from [209.85.219.221] (helo=mail-ew0-f221.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M75qv-000KNX-OG for namedroppers@ops.ietf.org; Thu, 21 May 2009 10:50:28 +0000 Received: by ewy21 with SMTP id 21so1144427ewy.41 for ; Thu, 21 May 2009 03:50:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=FvKxEdbengeNBO2q0yWShp7vtMYKDpzfTo2nsHNmbjk=; b=FFhqeOpQy1ACTJVvDXegO71juvECORx2BbPdXZoJQ/MQM1pOXb5ZPxlwIg/8Eh/vYq JXugDsSiVsuVPbjxNLzBWqsPfoSOspvUFTs94uLWWfYyFV25CLO4mLFgWZWa1uLwbasT UTIz4/yVHh1e8PjqIRRAcqTpIlrw1dpMZbasI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=fOpZDQBdB45bxjTpYbqMvWcPCI7URY+ul/OYMF5sRpQeFGDoD4VKOX+0XH3xs4BpW8 8IlG9p3YD/q/H6LsXYw1ple2NG8fko4R0wsm9n4PjnRYc2ZLCO7xD/NbiIdEEY/qBeIh ofoNWLIME5vh5J+uDtBM3f76fA/5gLUfFYP6s= MIME-Version: 1.0 Received: by 10.210.53.5 with SMTP id b5mr2567743eba.25.1242903019128; Thu, 21 May 2009 03:50:19 -0700 (PDT) In-Reply-To: <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> From: bert hubert Date: Thu, 21 May 2009 12:49:59 +0200 X-Google-Sender-Auth: b761f3818ab1b80d Message-ID: <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY To: David Conrad Cc: George Barwood , bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Wed, May 20, 2009 at 11:22 PM, David Conrad wrote: >> Should this working group think otherwise (which I doubt), it would be >> out of touch with reality. > > So, for sake of argument, let's say Microsoft had released software that > didn't conform to published standards, whereas numerous other vendors had > implemented according to standard. =A0You are arguing that the right cour= se of > action is to revise the standard to match Microsoft's non-standard > implementation? =A0In my experience, the IETF has taken the opposite view= .. Tis a tricky thing. The scenario George Barwood outlined is a rather plausible. If I perform what has been described as a harmless step in joining the future, and sign my zone, and discover I start getting complaints my mail is bouncing, I will be sorely tempted to unsign my zone. [1] DNSSEC was designed to fit the existing DNS infrastructure, and to not break things. Should a protocol labelled as such turn out to actually break things in practice, even if those things had not been as liberal in what they accepted as it should have been, this should give us pause for thought. It may be that the IETF is seen as powerful enough to break existing installations through standards actions, and get away with it, but I doubt it. In effect, qmail is not what we should be worrying about as anybody running qmail has gotten used to patching it anyhow, and 'the source is out there'. Legacy email infrastructures however are a different story. Bert [1] at which point I might discover that 'going back' by itself can lead to downtime for my entire zone -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 09:33:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2FE2A28C149; Thu, 21 May 2009 09:33:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.841 X-Spam-Level: X-Spam-Status: No, score=-0.841 tagged_above=-999 required=5 tests=[AWL=-0.346, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOHvLscFoCpO; Thu, 21 May 2009 09:33:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4AFA828C125; Thu, 21 May 2009 09:33:17 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7B6z-000AG2-JV for namedroppers-data0@psg.com; Thu, 21 May 2009 16:27:17 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7B6m-000AEy-M0 for namedroppers@ops.ietf.org; Thu, 21 May 2009 16:27:11 +0000 Received: from [10.31.200.157] (ns.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4LGQwpq069392; Thu, 21 May 2009 12:26:59 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> Date: Thu, 21 May 2009 12:18:44 -0400 To: namedroppers@ops.ietf.org From: Edward Lewis Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Cc: ed.lewis@neustar.biz Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 12:49 +0200 5/21/09, bert hubert wrote: >It may be that the IETF is seen as powerful enough to break existing >installations through standards actions, and get away with it, but I >doubt it. The IETF is powerless. In my years in the industry IETF goons have never broken down the doors and demanded I deploy what's in an RFC under any threat. Organizations will enact a change to their systems if one of these two outcomes is anticipated: Cost of producing a product or service will drop, raising income Revenue from producing a product or service will rise, raising income An important word there is "anticipated" - organizations know we don't have perfect future information. DNSSEC did not get rolling in-house with the publication of RFCs on DNSSEC. DNSSEC did get rolling when there was a clear incentive to go forward. Did we start knowing all of the pitfalls? No. Did we know that? Yes. What do we include in our plans? Testing. The trust anchor redistribution problems documented on a non-IETF list not only altered our testing plans (increasing things to test), but also have provided contradictory evidence to the commonly held belief that DNSSEC will be dropped at the first hint of trouble. DNSSEC is unapologetically a major change to the DNS. It ranks up there in architectural and operational significance with the addition of IXFR and Dynamic Update, above even RFC 2181 and NCACHE. It's a needed upgrade to the protocol, a need evidenced by the effort to date to just get this deployed. DNSSEC is a well-crafted solution to a tough problem, grafted onto a security-unfriendly base. Not only did the effort have to contend with poorly prepared definition documents (RFCs) but also a host of "in the field architectural updates" that were myopic[0] to various degrees. DNSSEC is not easy on the engineers, but that was never the goal. In presentations I gave 18 months ago, before the current push to deploy, even if DNSSEC never rolled out at all, we managed to clean up the DNS protocol to a great extent. [0] = short sighted; a term referring to a condition of the eye -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From grapnelsnoe80@pilot.fedex.com Thu May 21 09:50:21 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D81C3A6D99; Thu, 21 May 2009 09:50:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.732 X-Spam-Level: X-Spam-Status: No, score=0.732 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_FAKE_RCVD_LINE_B=5.777, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, GB_I_LETTER=-2, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR=2.426, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=1.263, MIME_QP_LONG_LINE=1.396, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMhZP8PNowoZ; Thu, 21 May 2009 09:50:10 -0700 (PDT) Received: from d-24-245-107-84.cpe.metrocast.net (d-24-245-107-84.cpe.metrocast.net [24.245.107.84]) by core3.amsl.com (Postfix) with ESMTP id 6FD583A685A; Thu, 21 May 2009 09:50:08 -0700 (PDT) Received: from 24.245.107.84 by smtp.dmz.fedex.com; Thu, 21 May 2009 12:51:27 -0500 Message-ID: <000d01c9da34$621026b0$6400a8c0@grapnelsnoe80> From: "Juanita Galindo" To: Subject: We will not let your virility retire so quickly. Date: Thu, 21 May 2009 12:51:27 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0075_01C9DA34.621026B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6001.18000 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049 This is a multi-part message in MIME format. ------=_NextPart_000_0075_01C9DA34.621026B0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0076_01C9DA34.621026B0" ------=_NextPart_001_0076_01C9DA34.621026B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable http://adelaide.bewwozep.cn/ AARP Webletter =20 =20 =20 =20 =20 =20 Having trouble viewing images? Click here to view as a webpage. To ensure delivery to your inbox, please add aarpnews@news.aarp.or= g to your address book. =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 WEBLETTER =20 A weekly publication from AARP =20 Volume 14, Issue 20 | May 13, 2009 =20 =20 =20 =20 =20 =20 =20 =20 =20 Visit AARP.org =20 Read Today�s News =20 AARP Membership:=20 Join /=20 Renew =20 Send To A Friend =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =09 =09 =09 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 Doctor Seacat Gabriele provided personal 80% discount for you.Discount code D-63253-= 53503-25893 =20 Click here to activate discount =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 Visit AARP.org =20 Read Today�s News =20 AARP Membership:=20 Join /=20 Renew =20 Send To A Friend =20 =20 =20 =20 =20 =20 =20 =20 Manage My E�mail Subscriptions You are receiving this message because you are subscribed to the AARP Webletter. If you would like to cancel your subscription, please=20 click here. We welcome your feedback about the newsletter, but please use our=20 contact AARP link if you have questions about AARP or your membership. If you would prefer to stop receiving all e-mail from AARP, please=20 click here. If you would like to manage all of your AARP e-newsletter subscriptions, visit the=20 e-mail updates page on the AARP Web site. Add us to your address book! Add=20 aarpnews@news.aarp.org to your address book now to ensure your AARP newsletter always gets delivered. =20 =20 AARP is a nonprofit, nonpartisan membership organization that helps people 50+ have independence, choice, and control in ways that are beneficial and affordable to them and to society as whole. *AARP Member Benefits are provided by third parties through contractual arrangements with AARP, and AARP Services, Inc., a wholly-owned subsidiary of AARP, or AARP Financial Inc., a wholly-owned subsidiary of AARP Services, Inc. Arranged offers and discounts do not imply endorsement of firms by AARP, AARP Services or AARP Financial. Offers are subject to change, and may have limited availability or restrictions, so please contact the provider directly to get more details. Privacy Statement We are committed to protecting your privacy. See our=20 privacy policy for additional information. =20 AARP=20 �1995-2009, All rights reserved.=20 601 E Street NW, Washington, DC 20049 =20 =20 =20 =20 =20 =20 =20 =20 ------=_NextPart_001_0076_01C9DA34.621026B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable AARP Webletter
3D""
Click here to view as a webpage.
To ensure delivery to your inbox, please add aarpnews@news.aarp.or= g to your address book.
3D""
3D""
3D""
WEBLETTER
A weekly publication from AARP		 Volume 14, Issue 20 | May 13, 20= 09
3D"AARP.org"
3D""
Visit AARP.org Read Today�s News AARP Membership: Join / Renew Send To A Friend
3D""
3D"Featured
3D""
3D"He=
3D"No3D""
3D""
3D""
=3D""
3D""
3D"" Doctor Seacat Gabriele provided personal 80% discount for you.
Discount code D-63= 253-53503-25893
Click here = to activate discount


 3D""
3D""
Visit AARP.org Read Today�s News AARP Membership: Join / Renew Send To A Friend
3D""
Manage My E�mail Subscriptions

You are receiving this message because you are subscribed to the AARP Webletter. If you would like to cancel your subscription, please click here. We welcome y= our feedback about the newsletter, but please use our contact AARP link if you have questions about AARP or your membership.

If you would prefer to stop receiving all e-mail from AARP, please click here.

If you would like to manage all of your AARP e-newsletter subscriptions, visit the e-mail updates page on the AARP Web site.

Add us to your address book! Add aarpnews@news.aarp.org to your address book now to ensure your AARP newsletter always gets delivered.

AARP is a nonprofit, nonpartisan membership organization that helps people 50+ have independence, choice, and control in ways that are beneficial and affordable to them and to society as whole.

*AARP Member Benefits are provided by third parties through contractual arrangements with AARP, and AARP Services, Inc., a wholly-owned subsidiary of AARP, or AARP Financial Inc., a wholly-owned subsidiary of AARP Services, Inc. Arranged offers and discounts do not imply endorsement of firms by AARP, AARP Services or AARP Financial. Offers are subject to change, and may have limited availability or restrictions, so please contact the provider directly to get more details.

Privacy Statement
We are committed to protecting your privacy. See our privacy policy for additional information.

AARP �1995-2009, All rights reserved.
601 E Street NW, Washington, DC 20049
------=_NextPart_001_0076_01C9DA34.621026B0-- ------=_NextPart_000_0075_01C9DA34.621026B0-- From owner-namedroppers@ops.ietf.org Thu May 21 09:52:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A908328C1A9; Thu, 21 May 2009 09:52:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.401 X-Spam-Level: X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[AWL=0.198, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZQUbeiY6BfPh; Thu, 21 May 2009 09:52:05 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0866E3A685C; Thu, 21 May 2009 09:51:45 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7BRL-000CZ7-TX for namedroppers-data0@psg.com; Thu, 21 May 2009 16:48:19 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7BR7-000CXb-1q for namedroppers@ops.ietf.org; Thu, 21 May 2009 16:48:13 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id A1FC4A2C66 for ; Thu, 21 May 2009 16:48:04 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Thu, 21 May 2009 15:53:37 +0400." <4A1540C1.4000603@cryptocom.ru> References: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost><26ED6020-A2EE-469F-BD87-ABE95EAF8F80@virtualized.org><59F3BDD0AE0B454991154F1F4BC901FE@localhost> <20090521.114604.74662153.sthaug@nethelp.no> <4A1540C1.4000603@cryptocom.ru> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Thu, 21 May 2009 16:48:04 +0000 Message-ID: <13342.1242924484@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > > I don't use qmail, the problem is that I still want to receive email > > from people who are using it, including those who have not updated > > their systems since 1990, or who are using derivative software, that option is not on the table, and hasn't been, and not because of DNSSEC. > Plesk, for instance, is still widely used on hosting platforms and > contains deeply-frozen qmail inside as main mail agent. i'd heard that plesk had the "big dns patch" applied many years ago, due to customer complaints. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 10:53:27 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06C053A6FF9; Thu, 21 May 2009 10:53:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4d+BlShCHww4; Thu, 21 May 2009 10:53:25 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BBEF43A6F2C; Thu, 21 May 2009 10:53:25 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7COF-000JuI-5D for namedroppers-data0@psg.com; Thu, 21 May 2009 17:49:11 +0000 Received: from [74.125.78.27] (helo=ey-out-2122.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7CO2-000JtU-Ar for namedroppers@ops.ietf.org; Thu, 21 May 2009 17:49:04 +0000 Received: by ey-out-2122.google.com with SMTP id d26so315770eyd.65 for ; Thu, 21 May 2009 10:48:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=44SmFih9gwpRABER0bm1q/5ImGPRA3Pyi7TKJnuzuo8=; b=xVYi/RbgTgElRqmTl693TCewzbrllO2TW9N5cSOalSu5akbFmg/hwyeV1Zj8+x6cdU sszDqWKnOzsOv3GIwnBgYkiZUoMwqQMRSbSQ2IRmoDqLZ68DuhPGM0pg+RbwTaPW4jHV uAt4DTaEf248mNfoPgE9iZhsMUrIPgRg5+9G8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=K9zMJM5PBvPe22EHGxXnBB41n0YXdVeXnrEFSdedFtaERtOBI3x6B8m5dAR9ybwtI1 thpmLS+ExWa5oLzVcUArGpZ6ZMmJyqzdkhMtOoBB6Ic1y1odvLwkkOg+e2Qyn9AnRtGC jLmfks6cLDhVinKDMCqtvh5up9sEqB3qCkqs0= MIME-Version: 1.0 Received: by 10.210.109.10 with SMTP id h10mr950431ebc.24.1242928132170; Thu, 21 May 2009 10:48:52 -0700 (PDT) In-Reply-To: References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> From: bert hubert Date: Thu, 21 May 2009 19:48:32 +0200 Message-ID: <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY To: Edward Lewis Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 6:18 PM, Edward Lewis wrote: > Organizations will enact a change to their systems if one of these two > outcomes is anticipated: > > =A0Cost of producing a product or service will drop, raising income > =A0Revenue from producing a product or service will rise, raising income To the extent this is true (I think you underestimate the lack of rationality in organizational thinking), be aware that the cost of a single 'customer problem interaction' is valued at around $7 for large access providers. I just measured, I consistently see 200 times fewer ANY queries than MX queries on a large auth server. Many of these ANY queries indeed appear to be email related. So the upper limit of 'huge ANY answer'-problems appears to be 'one in 200 mail lookups'. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 11:11:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 227023A6FFE; Thu, 21 May 2009 11:11:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.836 X-Spam-Level: X-Spam-Status: No, score=-0.836 tagged_above=-999 required=5 tests=[AWL=-0.341, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ICIvdczgnDpE; Thu, 21 May 2009 11:11:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 42FF83A694A; Thu, 21 May 2009 11:11:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7ChM-000McV-Iq for namedroppers-data0@psg.com; Thu, 21 May 2009 18:08:56 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Ch9-000MbW-BF for namedroppers@ops.ietf.org; Thu, 21 May 2009 18:08:49 +0000 Received: from [10.31.200.157] (mail.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4LI8bh4070271; Thu, 21 May 2009 14:08:38 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> Date: Thu, 21 May 2009 14:08:34 -0400 To: namedroppers@ops.ietf.org From: Edward Lewis Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Cc: Edward Lewis Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 19:48 +0200 5/21/09, bert hubert wrote: >To the extent this is true (I think you underestimate the lack of >rationality in organizational thinking), be aware that the cost of a >single 'customer problem interaction' is valued at around $7 for large >access providers. I work for a large organization principally because I once felt they were irrational and wanted an inside look to see what was going on. What I have learned is that organizations are generally more rational than singleton human beings - largely because of the built-in checks and balances. Often times an outsider might think a move is irrational, but that is usually because the outsider doesn't have the whole picture. And often times an inside might question a move, but that is usually because the insider too doesn't have everything considered. I don't get what the $7 figure means to the discussion. >I just measured, I consistently see 200 times fewer ANY queries than >MX queries on a large auth server. Many of these ANY queries indeed >appear to be email related. > >So the upper limit of 'huge ANY answer'-problems appears to be 'one in >200 mail lookups'. I don't see a point to this observation, nor any supporting documentation for that matter. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 11:11:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D4A63A6952; Thu, 21 May 2009 11:11:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.407 X-Spam-Level: X-Spam-Status: No, score=-2.407 tagged_above=-999 required=5 tests=[AWL=0.192, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RiZ0ErOmsRvE; Thu, 21 May 2009 11:11:48 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7117628C104; Thu, 21 May 2009 11:11:43 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7CiK-000Mj1-6w for namedroppers-data0@psg.com; Thu, 21 May 2009 18:09:56 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Ci7-000Mhl-Br for namedroppers@ops.ietf.org; Thu, 21 May 2009 18:09:49 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id E6744A2C7B; Thu, 21 May 2009 18:09:42 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: bert hubert cc: Edward Lewis , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Thu, 21 May 2009 19:48:32 +0200." <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Thu, 21 May 2009 18:09:42 +0000 Message-ID: <16998.1242929382@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > So the upper limit of 'huge ANY answer'-problems appears to be 'one in > 200 mail lookups'. there is nothing the DNS community can do to make those ANY queries succeed, even if we revised RFC 3225, which appears unlikely at best. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 11:15:13 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FA203A6BA9; Thu, 21 May 2009 11:15:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.537 X-Spam-Level: X-Spam-Status: No, score=-0.537 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9056UzWqH7+3; Thu, 21 May 2009 11:15:12 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 99FC53A6952; Thu, 21 May 2009 11:15:12 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Clf-000N9U-Sz for namedroppers-data0@psg.com; Thu, 21 May 2009 18:13:23 +0000 Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7ClS-000N87-Lo for namedroppers@ops.ietf.org; Thu, 21 May 2009 18:13:17 +0000 Received: from [192.168.100.67] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id 968AFC2DA3; Thu, 21 May 2009 19:13:08 +0100 (BST) Date: Thu, 21 May 2009 19:13:07 +0100 From: Alex Bligh Reply-To: Alex Bligh To: bert hubert , Edward Lewis cc: namedroppers@ops.ietf.org, Alex Bligh Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <258CB428CC561E9DAFBAD481@nimrod.local> In-Reply-To: <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --On 21 May 2009 19:48:32 +0200 bert hubert wrote: > I just measured, I consistently see 200 times fewer ANY queries than > MX queries on a large auth server. Many of these ANY queries indeed > appear to be email related. > > So the upper limit of 'huge ANY answer'-problems appears to be 'one in > 200 mail lookups'. Possibly OT for dnsext, but is there available data for number of queries of a similar type over a many year time period? It would be interesting to know if, for instance, ANY queries were decreasing over time, whilst (presumably) MX queries grow. -- Alex Bligh -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 11:36:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D7A993A6BD4; Thu, 21 May 2009 11:36:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.209 X-Spam-Level: X-Spam-Status: No, score=0.209 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tIF8v9y9jcFc; Thu, 21 May 2009 11:36:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DD9F23A6BB6; Thu, 21 May 2009 11:36:26 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7D5M-0000BG-Ca for namedroppers-data0@psg.com; Thu, 21 May 2009 18:33:44 +0000 Received: from [209.85.217.159] (helo=mail-gx0-f159.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7D53-00006a-59 for namedroppers@ops.ietf.org; Thu, 21 May 2009 18:33:37 +0000 Received: by gxk3 with SMTP id 3so2785604gxk.17 for ; Thu, 21 May 2009 11:33:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.116.15 with SMTP id o15mr467630agc.76.1242930803922; Thu, 21 May 2009 11:33:23 -0700 (PDT) In-Reply-To: <258CB428CC561E9DAFBAD481@nimrod.local> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> Date: Thu, 21 May 2009 11:33:23 -0700 Message-ID: Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: Matthew Dempsky To: Alex Bligh Cc: bert hubert , Edward Lewis , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 11:13 AM, Alex Bligh wrote: > Possibly OT for dnsext, but is there available data for number of queries > of a similar type over a many year time period? It would be interesting > to know if, for instance, ANY queries were decreasing over time, whilst > (presumably) MX queries grow. Just so there's no confusion, qmail only sends ANY queries to check for CNAME records. It still uses MX and A queries when it wants MX and A records, respectively. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 11:47:37 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D7A928C12F; Thu, 21 May 2009 11:47:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.535 X-Spam-Level: X-Spam-Status: No, score=-0.535 tagged_above=-999 required=5 tests=[AWL=-0.040, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrCCmaBnb2-C; Thu, 21 May 2009 11:47:36 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4D1563A6954; Thu, 21 May 2009 11:47:36 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7DFx-0001XX-Mo for namedroppers-data0@psg.com; Thu, 21 May 2009 18:44:41 +0000 Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7DFl-0001VT-G9 for namedroppers@ops.ietf.org; Thu, 21 May 2009 18:44:35 +0000 Received: from [192.168.100.67] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id 46A67C2DA3; Thu, 21 May 2009 19:44:26 +0100 (BST) Date: Thu, 21 May 2009 19:44:25 +0100 From: Alex Bligh Reply-To: Alex Bligh To: Matthew Dempsky cc: bert hubert , Edward Lewis , namedroppers@ops.ietf.org, Alex Bligh Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <80DE6681196D1F5DAD2386F5@nimrod.local> In-Reply-To: References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --On 21 May 2009 11:33:23 -0700 Matthew Dempsky wrote: > On Thu, May 21, 2009 at 11:13 AM, Alex Bligh wrote: >> Possibly OT for dnsext, but is there available data for number of queries >> of a similar type over a many year time period? It would be interesting >> to know if, for instance, ANY queries were decreasing over time, whilst >> (presumably) MX queries grow. > > Just so there's no confusion, qmail only sends ANY queries to check > for CNAME records. It still uses MX and A queries when it wants MX > and A records, respectively. So if you run an authoritative nameserver, and sign a zone with DNSSEC, it will only break receiving mail from 10 year old unpatched versions of qmail if the zone you are signing itself contains a CNAME for an MX record, which is (AFAIK) non-RFC compliant anyway, and could be fixed by substituting the CNAME for the relevant A record prior to signing. Or have I misunderstood? (My original question was more directed at determining whether what is x% this year will be y% next year, where y From owner-namedroppers@ops.ietf.org Thu May 21 12:25:35 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F38DE3A6EE8; Thu, 21 May 2009 12:25:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.336 X-Spam-Level: X-Spam-Status: No, score=-4.336 tagged_above=-999 required=5 tests=[AWL=-1.037, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzitV+01Vig3; Thu, 21 May 2009 12:25:20 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 71EA93A6CAF; Thu, 21 May 2009 12:25:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7DoV-00069E-AK for namedroppers-data0@psg.com; Thu, 21 May 2009 19:20:23 +0000 Received: from [131.111.8.130] (helo=ppsw-0.csi.cam.ac.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7DoH-00067p-Tl for namedroppers@ops.ietf.org; Thu, 21 May 2009 19:20:16 +0000 X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:44788) by ppsw-0.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.150]:25) with esmtpa (EXTERNAL:fanf2) id 1M7DoG-0003JA-2c (Exim 4.70) (return-path ); Thu, 21 May 2009 20:20:08 +0100 Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1M7DoG-0004fq-Pd (Exim 4.67) (return-path ); Thu, 21 May 2009 20:20:08 +0100 Date: Thu, 21 May 2009 20:20:08 +0100 From: Tony Finch X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk To: bert hubert cc: Edward Lewis , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> Message-ID: References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, 21 May 2009, bert hubert wrote: > > I just measured, I consistently see 200 times fewer ANY queries than > MX queries on a large auth server. Many of these ANY queries indeed > appear to be email related. That's an uncomfortably high proportion. I've had a brief glance at the code and it looks like (unpatched) qmail will be OK, since it only does ANY lookups when searching for CNAME records in order to canonicalize a domain just before doing an MX lookup. If the CNAME reply is truncated it should be alright so long as the DNSSEC records are dropped not the CNAME record. Tony. -- f.anthony.n.finch http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From john.catania@pattersondental.com Thu May 21 12:25:50 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90D973A6F7E; Thu, 21 May 2009 12:25:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -77.884 X-Spam-Level: X-Spam-Status: No, score=-77.884 tagged_above=-999 required=5 tests=[BAYES_95=3, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR2=4.395, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_SPEC_ROLEX_NOV5F=0.666, TVD_RCVD_IP=1.931, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5UiKauimW-K; Thu, 21 May 2009 12:25:49 -0700 (PDT) Received: from 45-119-112-92.pool.ukrtel.net (45-119-112-92.pool.ukrtel.net [92.112.119.45]) by core3.amsl.com (Postfix) with SMTP id 47B033A6E50; Thu, 21 May 2009 12:25:29 -0700 (PDT) Subject: Save 80% on Brand name rep watches Message-ID: From: "Fabian Bond" Content-Type: text/plain; Content-Transfer-Encoding: 7Bit To: "Socorro Strickland" Date: Thu, 21 May 2009 15:27:10 -0500 Hello Socorro Looking for a Jaeger LeCoultre watch that no one can tell from the original? You're in luck, because we have the best copies Take advantage of our spring specials and get yourself Jaeger LeCoultre watch that you've always wanted! Our Jaeger LeCoultre watches have perfect weight and feel same as orginal. Sincerely, Mr Strickland From owner-namedroppers@ops.ietf.org Thu May 21 12:34:34 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD4EF3A6DC7; Thu, 21 May 2009 12:34:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.832 X-Spam-Level: X-Spam-Status: No, score=-0.832 tagged_above=-999 required=5 tests=[AWL=-0.337, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXwxtmYWusFM; Thu, 21 May 2009 12:34:34 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 18CC93A684B; Thu, 21 May 2009 12:34:34 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Dyr-0007cm-NE for namedroppers-data0@psg.com; Thu, 21 May 2009 19:31:05 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Dyf-0007ar-33 for namedroppers@ops.ietf.org; Thu, 21 May 2009 19:30:59 +0000 Received: from [10.31.200.157] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4LJUiq9071189; Thu, 21 May 2009 15:30:45 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz) Mime-Version: 1.0 Message-Id: In-Reply-To: <3efd34cc0905211204v788f6483m9e0d8cc9d3800539@mail.gmail.com> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <3efd34cc0905211204v788f6483m9e0d8cc9d3800539@mail.gmail.com> Date: Thu, 21 May 2009 15:22:54 -0400 To: bert hubert From: Edward Lewis Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Cc: Edward Lewis , namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 21:04 +0200 5/21/09, bert hubert wrote: >It means that a rational organization will weigh the impact of even a >1% degradation of service very heavily if it means having to deal with >all the people impacted by that 1%. ... >It is sad that doing relevant measurements now elicits a response >declaiming the lack of supporting documentation or 'point'. What's wrong with asking for more info? Displaying results of germane measurements is indistinguishable from plucking numbers from air without any means for the reader to verify the numbers. E.g., what's a 1% degradation in service? And how does an X% "degradation" imply there will be the same X - X% of customers calling in? Having a point is good. Without one, this list is just a pointless time sink. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 13:11:14 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 599303A6840; Thu, 21 May 2009 13:11:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.204 X-Spam-Level: X-Spam-Status: No, score=0.204 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nfy6kBIBPgvJ; Thu, 21 May 2009 13:11:13 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C83E53A6806; Thu, 21 May 2009 13:10:47 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7EXS-000D6W-2f for namedroppers-data0@psg.com; Thu, 21 May 2009 20:06:50 +0000 Received: from [209.85.217.159] (helo=mail-gx0-f159.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7EXA-000D0t-6M for namedroppers@ops.ietf.org; Thu, 21 May 2009 20:06:43 +0000 Received: by gxk3 with SMTP id 3so2897733gxk.17 for ; Thu, 21 May 2009 13:06:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.84.2 with SMTP id h2mr2431163agb.6.1242936390617; Thu, 21 May 2009 13:06:30 -0700 (PDT) In-Reply-To: References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> Date: Thu, 21 May 2009 13:06:27 -0700 Message-ID: Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: Matthew Dempsky To: Tony Finch Cc: bert hubert , Edward Lewis , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 12:20 PM, Tony Finch wrote: > I've had a brief glance at the code and it looks like (unpatched) qmail > will be OK, since it only does ANY lookups when searching for CNAME > records in order to canonicalize a domain just before doing an MX lookup. > If the CNAME reply is truncated it should be alright so long as the DNSSEC > records are dropped not the CNAME record. No, if the CNAME response packet's answer section exceeds 512 bytes, then parsing it will fail, and qmail will give up on trying to deliver the message to try again later. If you build the dnscname program from qmail-1.03 ("make dnscname") and then run "dnscname isc.org" using a DNS cache like BIND that returns all records it has in cache in response to an ANY query, you'll get a soft error. (You might run "dig -t rrsig isc.org" first to ensure the RRSIG records are in cache, and then run "dig -t any isc.org" to make sure the cache includes them in the response to ANY queries; e.g., dnscache only returns NS records in response to an ANY query for isc.org, so qmail would be able to still deliver email to isc.org if configured to use dnscache instead of BIND.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 13:53:53 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD8A83A6C91; Thu, 21 May 2009 13:53:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.472 X-Spam-Level: X-Spam-Status: No, score=-0.472 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id szjI1OZ6-1Y4; Thu, 21 May 2009 13:53:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DDF763A69BA; Thu, 21 May 2009 13:53:52 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7FCB-000Ijx-GE for namedroppers-data0@psg.com; Thu, 21 May 2009 20:48:55 +0000 Received: from [209.85.219.221] (helo=mail-ew0-f221.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7FBy-000IiV-UO for namedroppers@ops.ietf.org; Thu, 21 May 2009 20:48:49 +0000 Received: by ewy21 with SMTP id 21so1522610ewy.41 for ; Thu, 21 May 2009 13:48:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=pVLao5O9Izbij83QURq38S9hoKOvJcTkw0QON9XD2GA=; b=akhazHnggZXT6CFvwRRk/jimu1H+WS6CLwnIqJlq1e2k/XNHyVBmDLT8tqYBFCoP9Y M0nI3msp4KUOcAhQgr76KA3j1/xIFDlL/gQhMwVubGIXK/8BbRIjrZubq9ouD3OWEJWS SeW75KpKaJu0bIzM+RdbpkudF3UxenuxGNQBY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=i1OwgrKoiONvaG/wlE/1pZ4M8TAwF6/NB5CHB/67jsVMTJSr6bBT5ONrXtVnxSwfH9 Cp0G5uq+cUqzWVtz2LvTIcYX+5ifH79FwvXhzpAh5XJ2vDBkbaTClSISrOuq2gqBzO4p SctBb5SS9l12AU2RrcU8RUFaALKsxRvN79QMI= MIME-Version: 1.0 Received: by 10.210.13.9 with SMTP id 9mr3756386ebm.66.1242938921123; Thu, 21 May 2009 13:48:41 -0700 (PDT) In-Reply-To: References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <3efd34cc0905211204v788f6483m9e0d8cc9d3800539@mail.gmail.com> From: bert hubert Date: Thu, 21 May 2009 22:48:21 +0200 Message-ID: <3efd34cc0905211348r3f6f8a7cr8f79df6bf9172b5b@mail.gmail.com> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY To: Edward Lewis Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 9:22 PM, Edward Lewis wrote: >> It is sad that doing relevant measurements now elicits a response >> declaiming the lack of supporting documentation or 'point'. > > What's wrong with asking for more info? =A0Displaying results of germane > measurements is indistinguishable from plucking numbers from air without = any > means for the reader to verify the numbers. It is indeed indistinguishable if the assumption is that this list is inhabited by crooks and mountebanks that are wont to pluck numbers from thin air and pass them off as credible measurements. But if you want to reproduce, take an authoritative server, and run: # tcpdump -i eth0 -n -s 0 -w dump3 port 53 $ /usr/sbin/tcpdump -n -r dump3 host 85.17.220.217 | grep -c "MX?" 109565 $ /usr/sbin/tcpdump -n -r dump3 host 85.17.220.217 | grep -c "ANY?" 1175 $ /usr/sbin/tcpdump -n -r dump3 host 85.17.220.217 | grep -c "? " 3866148 I previously made the mistake of searching for 'MX' and 'ANY' instead of 'MX?' and 'ANY?', which artificially deflated the number of ANY queries, since 'MX' matches both question and response, but 'ANY' questions never get 'ANY' answers. So the correct number from this one admittedly naive measurement is that the ratio of MX queries to ANY queries is around 100:1. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 14:55:30 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 094D33A6E2A; Thu, 21 May 2009 14:55:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.048 X-Spam-Level: X-Spam-Status: No, score=-4.048 tagged_above=-999 required=5 tests=[AWL=-1.668, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T+y7wPwB7fx3; Thu, 21 May 2009 14:55:29 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0E5E13A6EE7; Thu, 21 May 2009 14:55:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7GAx-0000B4-Mx for namedroppers-data0@psg.com; Thu, 21 May 2009 21:51:43 +0000 Received: from [81.91.160.182] (helo=office.denic.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7GAk-00006l-RK for namedroppers@ops.ietf.org; Thu, 21 May 2009 21:51:37 +0000 Received: from x27.adm.denic.de ([10.122.64.128]) by office.denic.de with esmtp id 1M7GAi-0000rL-SX; Thu, 21 May 2009 23:51:28 +0200 Received: from localhost by x27.adm.denic.de with local id 1M7G7F-0004PU-9R; Thu, 21 May 2009 23:47:53 +0200 Date: Thu, 21 May 2009 23:47:53 +0200 From: Peter Koch To: IETF DNSEXT WG Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090521214753.GD435@x27.adm.denic.de> References: <20090508181422.GH2372@shinkuro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090508181422.GH2372@shinkuro.com> User-Agent: Mutt/1.4.2.3i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, May 08, 2009 at 02:14:22PM -0400, Andrew Sullivan wrote: > topic seems not to have inspired consensus. Therefore, we would like > to present five options for consideration: Not sure that these five make the right "partitioning" of the problem space, but it's hard enough already. > 1. Do nothing, and take all energy that might be devoted to this > effort and direct it towards DNSSEC deployment. Essentially this is probably the best option, even though the "energy" in or of this group is likely neither necessary nor sufficient to aid DNSSEC deployment. At some point, one needs to consider a protocol done. If deployment is slow, creating more distraction by presenting a plethora of "alternatives" is not going to accelerate the effort but will rather have a negative effect. > 2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and > include in it recommendations to do nothing else except what that > document contains. Remove from section 3 any strategies we do not > want to adopt. (Note that this latter condition entails decisions > about the next two options.) Addressing the tactics used in the summer 2008 attack scenarios is an achievable and worthwile goal, so I'd like to see this draft being worked on. However, I believe that some of the tactics(!) presented and documented in the draft have side effects on a global scale and are potentially harmful. As examples, I consider both RTT banding and explicit NS RRSet queries as "challenging", to put it mildly. It is extremely important that the overall architecture and operational environment not be changed lightly. > 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps > this gets included in that document, or perhaps it proceeds as part of > a set of documents. Let's leave the editorial process issues out of > the discussion, and just focus on whether we want to include this > strategy in the tool box. With my response to (2), this could and should be postponed to the discussion of the 'resolver side mitigation' draft. Documenting the hack would be nice, but I'm not supportive of deployment of 0x20. > 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this > might be included as part of (2) or processed individually, but that > doesn't matter. I believe the situation is different from (3) as this is not "resolver side" mitigation only. As I stated in an earlier mail, the draft itself doesn't do much more than "reserve" a code point. Judging from other sources and the list discussion, an EDNS based QID space extension is clear and straightforward. However, the downgrade vector and the general issue of hop-by-hop vs end-to-end security don't let me sympathize here. > are inclined to take option (1), because the WG is supposed to be > sleeping. This is by no means to say that we are prejudiced in favour > of that option. It is rather to say that we are procedurally bound, > by our charter, to a default of "No" for at least some of these > documents. Adding a new standards-track item to the WG work requires Not that this would make much of a difference, but resolver side mitigation might be more of a BCP than a Standards Track document. -Peter PS: I've also responded to the doodle poll, but I am a bit confused by "This is a experiment for the working group to vote w/o posting to mailing list. In particular this is to cut down on +1 and -1 messages" Hopefully the term "vote" was a clerical error. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 15:37:32 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 392883A6E38; Thu, 21 May 2009 15:37:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.256 X-Spam-Level: X-Spam-Status: No, score=-4.256 tagged_above=-999 required=5 tests=[AWL=-0.631, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxyhpTbJ9Ehp; Thu, 21 May 2009 15:37:31 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 516A63A6C69; Thu, 21 May 2009 15:37:31 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Gpv-0004pv-2U for namedroppers-data0@psg.com; Thu, 21 May 2009 22:34:03 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Gpc-0004jm-SE for namedroppers@ops.ietf.org; Thu, 21 May 2009 22:33:56 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4LMVsth001713; Thu, 21 May 2009 22:31:57 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4LMVsmC001712; Thu, 21 May 2009 22:31:54 GMT Date: Thu, 21 May 2009 22:31:54 +0000 From: bmanning@vacation.karoshi.com To: Peter Koch Cc: IETF DNSEXT WG Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090521223154.GA1634@vacation.karoshi.com.> References: <20090508181422.GH2372@shinkuro.com> <20090521214753.GD435@x27.adm.denic.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090521214753.GD435@x27.adm.denic.de> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 11:47:53PM +0200, Peter Koch wrote: > On Fri, May 08, 2009 at 02:14:22PM -0400, Andrew Sullivan wrote: > > > 1. Do nothing, and take all energy that might be devoted to this > > effort and direct it towards DNSSEC deployment. > > Essentially this is probably the best option, even though the "energy" in or of > this group is likely neither necessary nor sufficient to aid DNSSEC deployment. > At some point, one needs to consider a protocol done. If deployment is slow, > creating more distraction by presenting a plethora of "alternatives" is > not going to accelerate the effort but will rather have a negative effect. beg to differ. if deployment is slow and the gravity well too deep, one might ask why? truely useful things seem to spread like wildfire... warts and all. which argues for encouraging alternatives. > > PS: I've also responded to the doodle poll, but I am a bit confused by > "This is a experiment for the working group to vote w/o posting to mailing list. > In particular this is to cut down on +1 and -1 messages" > Hopefully the term "vote" was a clerical error. +1 :) --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 16:17:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D4083A67A3; Thu, 21 May 2009 16:17:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.552 X-Spam-Level: X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oqr9SGctwWpu; Thu, 21 May 2009 16:17:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4944F3A659B; Thu, 21 May 2009 16:17:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7HRZ-0009ES-Dd for namedroppers-data0@psg.com; Thu, 21 May 2009 23:12:57 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7HRF-0009Cu-EI for namedroppers@ops.ietf.org; Thu, 21 May 2009 23:12:50 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 6D2F9E6059; Thu, 21 May 2009 23:12:36 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4LNCWNW056432; Fri, 22 May 2009 09:12:32 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905212312.n4LNCWNW056432@drugs.dv.isc.org> To: bert hubert Cc: Edward Lewis , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Thu, 21 May 2009 22:48:21 +0200." <3efd34cc0905211348r3f6f8a7cr8f79df6bf9172b5b@mail.gmail.com> Date: Fri, 22 May 2009 09:12:32 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <3efd34cc0905211348r3f6f8a7cr8f79df6bf9172b5b@mail.gmail.com>, bert hubert writes: > On Thu, May 21, 2009 at 9:22 PM, Edward Lewis wrote: > >> It is sad that doing relevant measurements now elicits a response > >> declaiming the lack of supporting documentation or 'point'. > > > > What's wrong with asking for more info? =A0Displaying results of germane > > measurements is indistinguishable from plucking numbers from air without = > any > > means for the reader to verify the numbers. > > It is indeed indistinguishable if the assumption is that this list is > inhabited by crooks and mountebanks that are wont to pluck numbers > from thin air and pass them off as credible measurements. > > But if you want to reproduce, take an authoritative server, and run: > # tcpdump -i eth0 -n -s 0 -w dump3 port 53 > $ /usr/sbin/tcpdump -n -r dump3 host 85.17.220.217 | grep -c "MX?" > 109565 > $ /usr/sbin/tcpdump -n -r dump3 host 85.17.220.217 | grep -c "ANY?" > 1175 > $ /usr/sbin/tcpdump -n -r dump3 host 85.17.220.217 | grep -c "? " > 3866148 > > I previously made the mistake of searching for 'MX' and 'ANY' instead > of 'MX?' and 'ANY?', which artificially deflated the number of ANY > queries, since 'MX' matches both question and response, but 'ANY' > questions never get 'ANY' answers. > > So the correct number from this one admittedly naive measurement is > that the ratio of MX queries to ANY queries is around 100:1. > > Bert Which has no relevence to the number of unpatched qmail MTA's vs working MTA's (qmail and others). Mark > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 16:22:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E1D83A6924; Thu, 21 May 2009 16:22:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.988 X-Spam-Level: X-Spam-Status: No, score=-4.988 tagged_above=-999 required=5 tests=[AWL=-1.363, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8xf69kLG5V2; Thu, 21 May 2009 16:22:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5AB853A6891; Thu, 21 May 2009 16:22:17 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7HYt-000A6e-DL for namedroppers-data0@psg.com; Thu, 21 May 2009 23:20:31 +0000 Received: from [64.18.2.22] (helo=exprod7og122.obsmtp.com) by psg.com with smtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7HYg-000A58-Od for namedroppers@ops.ietf.org; Thu, 21 May 2009 23:20:25 +0000 Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob122.postini.com ([64.18.6.12]) with SMTP ID DSNKShXhpCSbmvvVouoNNhWAKpK1/yXcav3G@postini.com; Thu, 21 May 2009 16:20:18 PDT Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 634481B8390; Thu, 21 May 2009 16:20:17 -0700 (PDT) Received: from uma.here (71.32.40.139) by exchange-01.win.nominum.com (64.89.228.50) with Microsoft SMTP Server (TLS) id 8.1.336.0; Thu, 21 May 2009 16:20:03 -0700 CC: Peter Koch , IETF DNSEXT WG Message-ID: From: Ted Lemon To: In-Reply-To: <20090521223154.GA1634@vacation.karoshi.com.> Content-Type: text/plain; charset="US-ASCII"; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit MIME-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Date: Thu, 21 May 2009 16:20:01 -0700 References: <20090508181422.GH2372@shinkuro.com> <20090521214753.GD435@x27.adm.denic.de> <20090521223154.GA1634@vacation.karoshi.com.> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 21, 2009, at 3:31 PM, bmanning@vacation.karoshi.com wrote: > beg to differ. if deployment is slow and the gravity well too deep, > one might ask why? truely useful things seem to spread like > wildfire... > warts and all. which argues for encouraging alternatives. This would be a great argument in a comparison of apples and apples. For instance, protocols like Skype's proprietary VoIP protocol have indeed spread far and wide not because the IETF pushed them, but because customers adopted them. HTTP spread similarly. SSH and SSL as well. What's the difference? I can turn up Skype or ssh or http or ssl any time I want simply by installing an http server or a copy of skype or what have you on my own machines. I don't need anyone else's cooperation. If the protocol proves popular, lots of people will turn it up on their individual machines, and life will be good. Contrariwise, the IETF has completed a number of protocol suites recently that don't have this quality. You can't simply turn up DNSSEC on your own servers and get value out of it. Without the infrastructure, DNSSEC isn't helpful. This is also true of IPv6, and is one of the reasons why IPv6 adoption is slow. The problem is that stuff that can be turned up unilaterally does, as you say, spread like wildfire if it is useful. Stuff that requires massive cooperation between people with competing interests doesn't spread like wildfire, whether it's useful or not. Deploying stuff like this is hard, and takes concentrated effort over time. The fact that it isn't spreading like wildfire, therefore, is no reason to claim that it is not useful. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 19:00:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 022923A6DA7; Thu, 21 May 2009 19:00:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.495 X-Spam-Level: X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrIv4RADfNEo; Thu, 21 May 2009 19:00:18 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0953D3A6D21; Thu, 21 May 2009 19:00:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Jxr-0001pt-4f for namedroppers-data0@psg.com; Fri, 22 May 2009 01:54:27 +0000 Received: from [66.6.203.2] (helo=hermes.walkereng.com) by psg.com with smtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Jxf-0001nM-5U for namedroppers@ops.ietf.org; Fri, 22 May 2009 01:54:21 +0000 Received: (qmail 28550 invoked by uid 1000); 22 May 2009 01:53:56 -0000 Date: Thu, 21 May 2009 20:53:56 -0500 From: Emilio Perea To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY Message-ID: <20090522015356.GA8666@hermes.walkereng.com> Mail-Followup-To: namedroppers@ops.ietf.org References: <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 11:33:23AM -0700, Matthew Dempsky wrote: > > Just so there's no confusion, qmail only sends ANY queries to check > for CNAME records. It still uses MX and A queries when it wants MX > and A records, respectively. So you would have a problem receiving mail from unpatched qmail servers which do not use dnscache (which I suspect is a very small percentage). But only if you are foolish enough to use a CNAME instead of proper MX and A records. As a long-time qmail user, I don't see that as a big problem. If it ever becomes a problem, we'll fix it. I can't say I'm fond of DNSSEC, but I'm not particularly worried about it either. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 19:31:25 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 101C43A6AAD; Thu, 21 May 2009 19:31:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.199 X-Spam-Level: X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Llr6qckoAEvl; Thu, 21 May 2009 19:31:24 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 09D393A6918; Thu, 21 May 2009 19:31:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7KSk-0005ON-Qa for namedroppers-data0@psg.com; Fri, 22 May 2009 02:26:22 +0000 Received: from [209.85.132.247] (helo=an-out-0708.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7KSY-0005Mu-9t for namedroppers@ops.ietf.org; Fri, 22 May 2009 02:26:16 +0000 Received: by an-out-0708.google.com with SMTP id d14so781378and.26 for ; Thu, 21 May 2009 19:25:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.231.4 with SMTP id d4mr6440157anh.24.1242959152943; Thu, 21 May 2009 19:25:52 -0700 (PDT) In-Reply-To: <20090522015356.GA8666@hermes.walkereng.com> References: <20090520101849.GA13291@vacation.karoshi.com.> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> <20090522015356.GA8666@hermes.walkereng.com> Date: Thu, 21 May 2009 19:25:52 -0700 Message-ID: Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: Matthew Dempsky To: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 6:53 PM, Emilio Perea wrote: > So you would have a problem receiving mail from unpatched qmail servers > which do not use dnscache (which I suspect is a very small percentage). Yes. > But only if you are foolish enough to use a CNAME instead of proper MX > and A records. No, the CNAME queries are distinct from the MX/A queries. The CNAME queries are so qmail can rewrite box@foo.com to box@bar.net if there's a CNAME record for "foo.com CNAME box.net". The MX/A queries are so qmail can determine what IP address to connect to when delivering mail to a certain domain's mail servers. When qmail sends mail to another server, these queries will always be for the same domain name, but the code that actually handles this makes no such assumption. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 19:48:16 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 178A53A6F79; Thu, 21 May 2009 19:48:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.244 X-Spam-Level: X-Spam-Status: No, score=-4.244 tagged_above=-999 required=5 tests=[AWL=-0.619, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0pQLrh+4Q74D; Thu, 21 May 2009 19:48:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AA1363A6F43; Thu, 21 May 2009 19:45:59 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Kjl-0007Lx-Qu for namedroppers-data0@psg.com; Fri, 22 May 2009 02:43:57 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7KjT-0007Fo-67 for namedroppers@ops.ietf.org; Fri, 22 May 2009 02:43:51 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4M2fOth003215; Fri, 22 May 2009 02:41:24 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4M2fOYo003214; Fri, 22 May 2009 02:41:24 GMT Date: Fri, 22 May 2009 02:41:24 +0000 From: bmanning@vacation.karoshi.com To: Ted Lemon Cc: bmanning@vacation.karoshi.com, Peter Koch , IETF DNSEXT WG Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Message-ID: <20090522024124.GB3008@vacation.karoshi.com.> References: <20090508181422.GH2372@shinkuro.com> <20090521214753.GD435@x27.adm.denic.de> <20090521223154.GA1634@vacation.karoshi.com.> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 04:20:01PM -0700, Ted Lemon wrote: > On May 21, 2009, at 3:31 PM, bmanning@vacation.karoshi.com wrote: > > beg to differ. if deployment is slow and the gravity well too deep, > > one might ask why? truely useful things seem to spread like > >wildfire... > > warts and all. which argues for encouraging alternatives. > > This would be a great argument in a comparison of apples and apples. > For instance, protocols like Skype's proprietary VoIP protocol have > indeed spread far and wide not because the IETF pushed them, but > because customers adopted them. HTTP spread similarly. SSH and SSL > as well. > > What's the difference? I can turn up Skype or ssh or http or ssl any > time I want simply by installing an http server or a copy of skype or > what have you on my own machines. I don't need anyone else's > cooperation. If the protocol proves popular, lots of people will > turn it up on their individual machines, and life will be good. actually, it requires at least a pair. > Contrariwise, the IETF has completed a number of protocol suites > recently that don't have this quality. historically that was not true... but then, when one has abandon the E2E principle in favor of centralized locus of control... thats what you get. > You can't simply turn up > DNSSEC on your own servers and get value out of it. Without the > infrastructure, DNSSEC isn't helpful. there are those who might argue that point w/ you. > Deploying stuff > like this is hard, and takes concentrated effort over time. The fact > that it isn't spreading like wildfire, therefore, is no reason to > claim that it is not useful. i never said it was not useful ... i'm suggesting that we not abandon development efforts for another decade... that one sure way to cement your OBE status. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 19:48:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F349A3A7001; Thu, 21 May 2009 19:48:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.413 X-Spam-Level: X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qygPR8hr1zv; Thu, 21 May 2009 19:48:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E7F393A700D; Thu, 21 May 2009 19:47:10 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Klx-0007bh-Q1 for namedroppers-data0@psg.com; Fri, 22 May 2009 02:46:13 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Klk-0007aq-Cd for namedroppers@ops.ietf.org; Fri, 22 May 2009 02:46:06 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id EFC66A2D1C; Fri, 22 May 2009 02:45:59 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Matthew Dempsky cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Thu, 21 May 2009 19:25:52 MST." References: <20090520101849.GA13291@vacation.karoshi.com.> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> <20090522015356.GA8666@hermes.walkereng.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Fri, 22 May 2009 02:45:59 +0000 Message-ID: <38196.1242960359@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Thu, 21 May 2009 19:25:52 -0700 > From: Matthew Dempsky > ... > The CNAME queries are so qmail can rewrite box@foo.com to box@bar.net > if there's a CNAME record for "foo.com CNAME box.net". so, if there's no A or AAAA or MX RR at the target, the rewrite will be from an undeliverable name to some other undeliverable name, which is meaningless. if qmail really wants to rewrite these names it should make RFC 974 style queries (that is, for MX, then for A, and i guess for AAAA) and if it gets a CNAME as part of the response it should do the rewrite. there's nothing gained by the CNAME (or ANY) queries in this case. but we digress. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 20:20:17 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E2E8A3A6918; Thu, 21 May 2009 20:20:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.555 X-Spam-Level: X-Spam-Status: No, score=-2.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0g0RHiw4R3jR; Thu, 21 May 2009 20:20:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D1D693A680C; Thu, 21 May 2009 20:20:16 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7LFr-000BPF-7p for namedroppers-data0@psg.com; Fri, 22 May 2009 03:17:07 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7LFd-000BOh-KY for namedroppers@ops.ietf.org; Fri, 22 May 2009 03:17:00 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id A8E80E602F; Fri, 22 May 2009 03:16:52 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4M3Gnn5030224; Fri, 22 May 2009 13:16:49 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905220316.n4M3Gnn5030224@drugs.dv.isc.org> To: Paul Vixie Cc: Matthew Dempsky , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Fri, 22 May 2009 02:45:59 GMT." <38196.1242960359@nsa.vix.com> Date: Fri, 22 May 2009 13:16:49 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <38196.1242960359@nsa.vix.com>, Paul Vixie writes: > > Date: Thu, 21 May 2009 19:25:52 -0700 > > From: Matthew Dempsky > > ... > > The CNAME queries are so qmail can rewrite box@foo.com to box@bar.net > > if there's a CNAME record for "foo.com CNAME box.net". > > so, if there's no A or AAAA or MX RR at the target, the rewrite will be > from an undeliverable name to some other undeliverable name, which is > meaningless. > > if qmail really wants to rewrite these names it should make RFC 974 style > queries (that is, for MX, then for A, and i guess for AAAA) and if it > gets a CNAME as part of the response it should do the rewrite. Actually the rewrite code only needs to do a MX query. If there is a CNAME it will be returned regardless of whether there is a MX record or not. In either case the local recursive server now knows whether there is a MX record or not. > there's nothing gained by the CNAME (or ANY) queries in this case. > > but we digress. Indeed. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 20:20:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A0D183A6918; Thu, 21 May 2009 20:20:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.195 X-Spam-Level: X-Spam-Status: No, score=0.195 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uG3m-1yaGSBQ; Thu, 21 May 2009 20:20:21 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A16333A680C; Thu, 21 May 2009 20:20:21 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7LFV-000BO0-0N for namedroppers-data0@psg.com; Fri, 22 May 2009 03:16:45 +0000 Received: from [209.85.217.159] (helo=mail-gx0-f159.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7LFB-000BJ7-Kx for namedroppers@ops.ietf.org; Fri, 22 May 2009 03:16:38 +0000 Received: by gxk3 with SMTP id 3so3348092gxk.17 for ; Thu, 21 May 2009 20:16:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.98.13 with SMTP id v13mr849718agb.43.1242962183228; Thu, 21 May 2009 20:16:23 -0700 (PDT) In-Reply-To: <38196.1242960359@nsa.vix.com> References: <20090520101849.GA13291@vacation.karoshi.com.> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> <20090522015356.GA8666@hermes.walkereng.com> <38196.1242960359@nsa.vix.com> Date: Thu, 21 May 2009 20:16:22 -0700 Message-ID: Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: Matthew Dempsky To: Paul Vixie Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 7:45 PM, Paul Vixie wrote: > so, if there's no A or AAAA or MX RR at the target, the rewrite will be > from an undeliverable name to some other undeliverable name, which is > meaningless. Sure, whatever. I'm not arguing for its behavior, I'm just trying to explain it so people worried about being compatible with its behavior actually know what they need to be compatible with. > if qmail really wants to rewrite these names it should make RFC 974 style > queries (that is, for MX, then for A, and i guess for AAAA) and if it > gets a CNAME as part of the response it should do the rewrite. I tried to be clear in my last email, but apparently not well enough. In the qmail package, there's a program "qmail-remote". It's invoked by running "qmail-remote host sender recip [ recip ...]", and providing an RFC 822 message on stdin. E.g., to send a message to isc.org's mail servers with an envelope from matthew@dempsky.org to vixie@isc.org, I would invoke it: qmail-remote isc.org matthew@dempsky.org vixie@isc.org < message Because RFC 821 does not allow domain aliases in email addresses in the envelope, qmail-remote needs to make sure vixie@isc.org is in canonical form; it originally did this by making a CNAME query for isc.org, but later changed to making an ANY query for isc.org, to be compatible with sendmail's behavior at the time. After converting all recipient addresses to canonical form, qmail-remote then does the standard MX/A record lookups on the host argument, which in the above use case *happens* to also be isc.org. However, it would be perfectly acceptable for qmail-remote to be invoked as: qmail-remote gmail.com vixie@isc.org matthew@dempsky.org < response Now qmail-remote does an ANY query for dempsky.org to ensure matthew@dempsky.org is in canonical form, followed by MX/A queries for gmail.com to find what mail servers to contact. (The qmail package would never pass invoke qmail-remote in such a way that the domain names queried for are different, but qmail-remote does not make that assumption.) > there's nothing gained by the CNAME (or ANY) queries in this case. Sure, but that's what the SMTP RFCs required at the time qmail was written. See http://cr.yp.to/im/cname.html. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 20:44:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E55F3A6DC1; Thu, 21 May 2009 20:44:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.557 X-Spam-Level: X-Spam-Status: No, score=-2.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKDAJC5wy3p2; Thu, 21 May 2009 20:44:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 422EA3A6F93; Thu, 21 May 2009 20:44:17 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7LcT-000EMJ-IY for namedroppers-data0@psg.com; Fri, 22 May 2009 03:40:29 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7LcF-000EKy-30 for namedroppers@ops.ietf.org; Fri, 22 May 2009 03:40:22 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 1AA95E6056; Fri, 22 May 2009 03:40:13 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4M3eBqo030507; Fri, 22 May 2009 13:40:11 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905220340.n4M3eBqo030507@drugs.dv.isc.org> To: Matthew Dempsky Cc: Paul Vixie , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Thu, 21 May 2009 20:16:22 MST." Date: Fri, 22 May 2009 13:40:11 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message , Matthew Demps ky writes: > On Thu, May 21, 2009 at 7:45 PM, Paul Vixie wrote: > > so, if there's no A or AAAA or MX RR at the target, the rewrite will be > > from an undeliverable name to some other undeliverable name, which is > > meaningless. > > Sure, whatever. I'm not arguing for its behavior, I'm just trying to > explain it so people worried about being compatible with its behavior > actually know what they need to be compatible with. > > > if qmail really wants to rewrite these names it should make RFC 974 style > > queries (that is, for MX, then for A, and i guess for AAAA) and if it > > gets a CNAME as part of the response it should do the rewrite. > > I tried to be clear in my last email, but apparently not well enough. > > In the qmail package, there's a program "qmail-remote". It's invoked > by running "qmail-remote host sender recip [ recip ...]", and > providing an RFC 822 message on stdin. E.g., to send a message to > isc.org's mail servers with an envelope from matthew@dempsky.org to > vixie@isc.org, I would invoke it: > > qmail-remote isc.org matthew@dempsky.org vixie@isc.org < message > > Because RFC 821 does not allow domain aliases in email addresses in > the envelope, qmail-remote needs to make sure vixie@isc.org is in > canonical form; it originally did this by making a CNAME query for > isc.org, but later changed to making an ANY query for isc.org, to be > compatible with sendmail's behavior at the time. Where as a MX query would have done the same thing and removed a redundant query from the processing. > After converting all recipient addresses to canonical form, > qmail-remote then does the standard MX/A record lookups on the host > argument, which in the above use case *happens* to also be isc.org. > > However, it would be perfectly acceptable for qmail-remote to be invoked as: > > qmail-remote gmail.com vixie@isc.org matthew@dempsky.org < response > > Now qmail-remote does an ANY query for dempsky.org to ensure > matthew@dempsky.org is in canonical form, followed by MX/A queries for > gmail.com to find what mail servers to contact. (The qmail package > would never pass invoke qmail-remote in such a way that the domain > names queried for are different, but qmail-remote does not make that > assumption.) > > > there's nothing gained by the CNAME (or ANY) queries in this case. > > Sure, but that's what the SMTP RFCs required at the time qmail was > written. See http://cr.yp.to/im/cname.html. No, they don't require a CNAME query. They require the name not be a alias. This can be satisfied without performing anything other than MX and A (and now AAAA) queries. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 20:56:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D3793A6B59; Thu, 21 May 2009 20:56:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.17 X-Spam-Level: X-Spam-Status: No, score=0.17 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHL8N9-h4+uv; Thu, 21 May 2009 20:56:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 567763A6EE5; Thu, 21 May 2009 20:56:28 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Lp1-000G3t-HV for namedroppers-data0@psg.com; Fri, 22 May 2009 03:53:27 +0000 Received: from [74.125.44.29] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Loo-000G2h-6d for namedroppers@ops.ietf.org; Fri, 22 May 2009 03:53:20 +0000 Received: by yx-out-2324.google.com with SMTP id 8so872079yxm.71 for ; Thu, 21 May 2009 20:53:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.79.4 with SMTP id c4mr872572agb.120.1242964392518; Thu, 21 May 2009 20:53:12 -0700 (PDT) In-Reply-To: References: <20090520101849.GA13291@vacation.karoshi.com.> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> <20090522015356.GA8666@hermes.walkereng.com> <38196.1242960359@nsa.vix.com> Date: Thu, 21 May 2009 20:53:12 -0700 Message-ID: Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY From: Matthew Dempsky To: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Thu, May 21, 2009 at 8:16 PM, Matthew Dempsky wrote: > [overly detailed explanation] When qmail needs to deliver a message for foo@domain.com over SMTP, it performs an ANY query for domain.com. If the DNS cache's response packet's answer section exceeds 512 bytes, the delivery attempt will soft fail, an error message will be written into qmail's logs, and the message will eventually bounce. It doesn't matter why or that it could do things differently. This is what it does. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 21:12:07 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBEAC3A6FE4; Thu, 21 May 2009 21:12:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.419 X-Spam-Level: X-Spam-Status: No, score=-2.419 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHZ2bwb2QQJe; Thu, 21 May 2009 21:12:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D41E33A6FC6; Thu, 21 May 2009 21:12:06 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7M5E-000IE6-9c for namedroppers-data0@psg.com; Fri, 22 May 2009 04:10:12 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7M50-000ICo-M3 for namedroppers@ops.ietf.org; Fri, 22 May 2009 04:10:05 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 444CBA2D41; Fri, 22 May 2009 04:09:58 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Matthew Dempsky cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Thu, 21 May 2009 20:16:22 MST." References: <20090520101849.GA13291@vacation.karoshi.com.> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <258CB428CC561E9DAFBAD481@nimrod.local> <20090522015356.GA8666@hermes.walkereng.com> <38196.1242960359@nsa.vix.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Fri, 22 May 2009 04:09:58 +0000 Message-ID: <41739.1242965398@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Thu, 21 May 2009 20:16:22 -0700 > From: Matthew Dempsky > > ... I'm just trying to explain it so people worried about being > compatible with its behavior actually know what they need to be > compatible with. thanks for that. > ... > > qmail-remote isc.org matthew@dempsky.org vixie@isc.org < message > > Because RFC 821 does not allow domain aliases in email addresses in > the envelope, qmail-remote needs to make sure vixie@isc.org is in > canonical form; it originally did this by making a CNAME query for > isc.org, but later changed to making an ANY query for isc.org, to be > compatible with sendmail's behavior at the time. sendmail's behaviour was horrid. i fought on the side of "make the MX and/or A query you would make to find RFC 974 deliverability, and if you get a CNAME chain back, use it for rewrites. > > there's nothing gained by the CNAME (or ANY) queries in this case. > > Sure, but that's what the SMTP RFCs required at the time qmail was > written. See http://cr.yp.to/im/cname.html. according to... http://www.amazon.com/Sendmail-Theory-Practice-Frederick-Avolio/dp/1555581277/ref=sr_1_1?ie=UTF8&s=books&qid=1242965145&sr=8-1 ...i was alive and well and working in the SMTP field in the old days, and i can tell you that the SMTP RFC's of that era did not require that an ANY query be made. canonicalization can be done in several other ways. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 21:22:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 217FC3A6E4E; Thu, 21 May 2009 21:22:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.559 X-Spam-Level: X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xDIOpF732kl; Thu, 21 May 2009 21:22:40 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3F46E3A6CE0; Thu, 21 May 2009 21:22:40 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7MFe-000JTR-D1 for namedroppers-data0@psg.com; Fri, 22 May 2009 04:20:58 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7MFQ-000JSF-Im for namedroppers@ops.ietf.org; Fri, 22 May 2009 04:20:51 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id D57BEE601C; Fri, 22 May 2009 04:20:43 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4M4KfjQ041652; Fri, 22 May 2009 14:20:41 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905220420.n4M4KfjQ041652@drugs.dv.isc.org> To: Matthew Dempsky Cc: namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Thu, 21 May 2009 20:53:12 MST." Date: Fri, 22 May 2009 14:20:41 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message , Matthew Demps ky writes: > On Thu, May 21, 2009 at 8:16 PM, Matthew Dempsky wrote: > > [overly detailed explanation] > > When qmail needs to deliver a message for foo@domain.com over SMTP, it > performs an ANY query for domain.com. If the DNS cache's response > packet's answer section exceeds 512 bytes, the delivery attempt will > soft fail, an error message will be written into qmail's logs, and the > message will eventually bounce. Good. Unpatched qmail is broken and should be removed from the net. Breaking email deliver, in this case, is a good thing. It will increase the overall health of the global email system. Mark > It doesn't matter why or that it could do things differently. This is > what it does. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 22:58:47 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98D333A7020; Thu, 21 May 2009 22:58:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.214 X-Spam-Level: X-Spam-Status: No, score=-0.214 tagged_above=-999 required=5 tests=[AWL=-0.964, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67bHdBJypqth; Thu, 21 May 2009 22:58:46 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0954B3A7025; Thu, 21 May 2009 22:58:46 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Nin-000574-I6 for namedroppers-data0@psg.com; Fri, 22 May 2009 05:55:09 +0000 Received: from [212.9.189.167] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7NiV-00056C-Rm for namedroppers@ops.ietf.org; Fri, 22 May 2009 05:55:03 +0000 Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1M7NiN-0002Mj-Fs; Fri, 22 May 2009 07:54:43 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1M7NiM-0004tE-TB; Fri, 22 May 2009 07:54:42 +0200 From: Florian Weimer To: Paul Vixie Cc: bert hubert , Edward Lewis , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <16998.1242929382@nsa.vix.com> Date: Fri, 22 May 2009 07:54:42 +0200 In-Reply-To: <16998.1242929382@nsa.vix.com> (Paul Vixie's message of "Thu, 21 May 2009 18:09:42 +0000") Message-ID: <87hbzd3cnx.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Paul Vixie: >> So the upper limit of 'huge ANY answer'-problems appears to be 'one in >> 200 mail lookups'. > > there is nothing the DNS community can do to make those ANY queries succeed, > even if we revised RFC 3225, which appears unlikely at best. Server could be changed to return only RFC 1035 RR types in the result (plus AAAA perhaps). Until now, I didn't realize that BIND includes the RRSIG and NSEC records from a signed parent zone in the answer sectin (see aol.se for an example). Isn't this in violation of RFC 2181? It doesn look like a good idea to me. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Thu May 21 23:48:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE0523A6ACA; Thu, 21 May 2009 23:48:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.561 X-Spam-Level: X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77Ucm0FWpJAq; Thu, 21 May 2009 23:48:30 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E88CC3A694C; Thu, 21 May 2009 23:48:29 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7OWB-000BMb-WA for namedroppers-data0@psg.com; Fri, 22 May 2009 06:46:12 +0000 Received: from [2001:4f8:3:bb::5] (helo=farside.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7OVw-000BLp-OJ for namedroppers@ops.ietf.org; Fri, 22 May 2009 06:46:05 +0000 Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id CCB71E6050; Fri, 22 May 2009 06:45:55 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n4M6jomR052947; Fri, 22 May 2009 16:45:51 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200905220645.n4M6jomR052947@drugs.dv.isc.org> To: Florian Weimer Cc: Paul Vixie , bert hubert , Edward Lewis , namedroppers@ops.ietf.org From: Mark Andrews Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-reply-to: Your message of "Fri, 22 May 2009 07:54:42 +0200." <87hbzd3cnx.fsf@mid.deneb.enyo.de> Date: Fri, 22 May 2009 16:45:50 +1000 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In message <87hbzd3cnx.fsf@mid.deneb.enyo.de>, Florian Weimer writes: > * Paul Vixie: > > >> So the upper limit of 'huge ANY answer'-problems appears to be 'one in > >> 200 mail lookups'. > > > > there is nothing the DNS community can do to make those ANY queries succeed, > > even if we revised RFC 3225, which appears unlikely at best. > > Server could be changed to return only RFC 1035 RR types in the result > (plus AAAA perhaps). Which *still* wouldn't prevent a unpatch qmail from falling over. > Until now, I didn't realize that BIND includes the RRSIG and NSEC > records from a signed parent zone in the answer sectin (see aol.se for > an example). Isn't this in violation of RFC 2181? No. Both the parent and child are authoritative for NSEC. > It doesn look like a good idea to me. > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. archive: -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 22 07:55:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09E6A3A700F; Fri, 22 May 2009 07:55:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.424 X-Spam-Level: X-Spam-Status: No, score=-2.424 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pa-JVq+OMGAr; Fri, 22 May 2009 07:55:05 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 18B8B3A6848; Fri, 22 May 2009 07:55:05 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7W4a-00006q-JP for namedroppers-data0@psg.com; Fri, 22 May 2009 14:50:12 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7W4M-00004t-JF for namedroppers@ops.ietf.org; Fri, 22 May 2009 14:50:06 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 27BDCA2E20; Fri, 22 May 2009 14:49:58 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Florian Weimer cc: bert hubert , Edward Lewis , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: Your message of "Fri, 22 May 2009 07:54:42 +0200." <87hbzd3cnx.fsf@mid.deneb.enyo.de> References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <16998.1242929382@nsa.vix.com> <87hbzd3cnx.fsf@mid.deneb.enyo.de> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Fri, 22 May 2009 14:49:58 +0000 Message-ID: <67484.1243003798@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: Florian Weimer > Date: Fri, 22 May 2009 07:54:42 +0200 > > > there is nothing the DNS community can do to make those ANY queries > > succeed, even if we revised RFC 3225, which appears unlikely at best. > > Server could be changed to return only RFC 1035 RR types in the result > (plus AAAA perhaps). those ANY queries are picking up some SPF TXT RRsets, plus some large A and AAAA RRsets, and are already failing. so even if we rev'd RFC 3225 (which is unlikely) and even if every server who has DNSSEC types on board were to upgrade (which is even more unlikely) then this problem would remain. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 22 08:23:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31B3E3A704C; Fri, 22 May 2009 08:23:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.703 X-Spam-Level: X-Spam-Status: No, score=-0.703 tagged_above=-999 required=5 tests=[AWL=-1.078, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlCSPzUBKSPM; Fri, 22 May 2009 08:23:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B8FB53A704A; Fri, 22 May 2009 08:23:37 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7WYZ-0004q0-S6 for namedroppers-data0@psg.com; Fri, 22 May 2009 15:21:11 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7WYN-0004nZ-Uq for namedroppers@ops.ietf.org; Fri, 22 May 2009 15:21:05 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4MFKsun081858; Fri, 22 May 2009 11:20:55 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905221520.n4MFKsun081858@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 22 May 2009 10:48:44 -0400 To: bmanning@vacation.karoshi.com, Peter Koch From: Olafur Gudmundsson Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm Cc: IETF DNSEXT WG In-Reply-To: <20090521223154.GA1634@vacation.karoshi.com.> References: <20090508181422.GH2372@shinkuro.com> <20090521214753.GD435@x27.adm.denic.de> <20090521223154.GA1634@vacation.karoshi.com.> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 18:31 21/05/2009, bmanning@vacation.karoshi.com wrote: >On Thu, May 21, 2009 at 11:47:53PM +0200, Peter Koch wrote: > > On Fri, May 08, 2009 at 02:14:22PM -0400, Andrew Sullivan wrote: > > > > PS: I've also responded to the doodle poll, but I am a bit confused by > > "This is a experiment for the working group to vote w/o > posting to mailing list. > > In particular this is to cut down on +1 and -1 messages" > > Hopefully the term "vote" was a clerical error. > >+1 :) s/vote/voice opinion/ sorry Olafur -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 22 08:33:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 998E93A690D; Fri, 22 May 2009 08:33:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.975 X-Spam-Level: X-Spam-Status: No, score=-0.975 tagged_above=-999 required=5 tests=[AWL=-0.780, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lB4MO-gRTmoW; Fri, 22 May 2009 08:33:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B74943A6AFB; Fri, 22 May 2009 08:33:00 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7WiU-0006KC-Eb for namedroppers-data0@psg.com; Fri, 22 May 2009 15:31:26 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7WiH-0006Iq-KZ for namedroppers@ops.ietf.org; Fri, 22 May 2009 15:31:19 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4MFVBWc081993 for ; Fri, 22 May 2009 11:31:11 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905221531.n4MFVBWc081993@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 22 May 2009 11:29:19 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY In-Reply-To: <87C9F8BC-21DB-47A1-9071-5F1BEEEAC4A3@virtualized.org> References: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> <26ED6020-A2EE-469F-BD87-ABE95EAF8F80@virtualized.org> <59F3BDD0AE0B454991154F1F4BC901FE@localhost> <20090521.114604.74662153.sthaug@nethelp.no> <4A1540C1.4000603@cryptocom.ru> <87C9F8BC-21DB-47A1-9071-5F1BEEEAC4A3@virtualized.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: Please stop posting on this topic the discussion it is not going anywhere. Olafur -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 22 09:22:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DE8D3A6A4E; Fri, 22 May 2009 09:22:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.14 X-Spam-Level: X-Spam-Status: No, score=-0.14 tagged_above=-999 required=5 tests=[AWL=-0.890, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYXGOUNYTUPW; Fri, 22 May 2009 09:22:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 97E373A690D; Fri, 22 May 2009 09:22:17 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7XSL-000EFl-BO for namedroppers-data0@psg.com; Fri, 22 May 2009 16:18:49 +0000 Received: from [212.9.189.167] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7XS7-000EEL-Qm for namedroppers@ops.ietf.org; Fri, 22 May 2009 16:18:42 +0000 Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1M7XS0-0007sW-5H; Fri, 22 May 2009 18:18:28 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1M7XRz-0007E9-D4; Fri, 22 May 2009 18:18:27 +0200 From: Florian Weimer To: Paul Vixie Cc: bert hubert , Edward Lewis , namedroppers@ops.ietf.org Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> <16998.1242929382@nsa.vix.com> <87hbzd3cnx.fsf@mid.deneb.enyo.de> <67484.1243003798@nsa.vix.com> Date: Fri, 22 May 2009 18:18:27 +0200 In-Reply-To: <67484.1243003798@nsa.vix.com> (Paul Vixie's message of "Fri, 22 May 2009 14:49:58 +0000") Message-ID: <871vqh2jsc.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Paul Vixie: >> From: Florian Weimer >> Date: Fri, 22 May 2009 07:54:42 +0200 >> >> > there is nothing the DNS community can do to make those ANY queries >> > succeed, even if we revised RFC 3225, which appears unlikely at best. >> >> Server could be changed to return only RFC 1035 RR types in the result >> (plus AAAA perhaps). > > those ANY queries are picking up some SPF TXT RRsets, plus some > large A and AAAA RRsets, and are already failing. The difference is that DNSSEC records are forced upon you by the parent zone. You can carefully control those other records if you fear the eyeball hit. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From dorce@centrum.cz Fri May 22 09:32:38 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 442083A6C52; Fri, 22 May 2009 09:32:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.795 X-Spam-Level: X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HOST_EQ_D_D_D_D=0.765, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_RO=1.235, HOST_EQ_RO=0.904, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ip9MUKrvkvmX; Fri, 22 May 2009 09:32:37 -0700 (PDT) Received: from dyn-89.136.27.24.nt.upcnet.ro (dyn-89.136.27.24.nt.upcnet.ro [89.136.27.24]) by core3.amsl.com (Postfix) with SMTP id 1F4F13A6C36; Fri, 22 May 2009 09:32:27 -0700 (PDT) X-Originating-IP: 168.204.120.200 by 56.169.95.60; Fri, 22 May 2009 21:25:09 +0400 Message-ID: From: "Genevieve Mckenna" To: "Napoleon Murdock" Subject: Watches for him, her and you Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Date: Fri, 22 May 2009 12:34:09 -0500 Hello Napoleon Spring is the time to get Cartier watch, and the only place to get top notch watches that look and perform exactly like the originals is http://www.shop-repliq.com/ Take advantage of our spring specials and get yourself Cartier watch that you've always wanted! http://www.shop-repliq.com/ Our Cartier watches have perfect weight and feel same as orginal. Sincerely, Mr Murdock From owner-namedroppers@ops.ietf.org Fri May 22 10:24:49 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C28FA3A6D22; Fri, 22 May 2009 10:24:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.164 X-Spam-Level: X-Spam-Status: No, score=0.164 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvagUIAjWSAe; Fri, 22 May 2009 10:24:49 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DDE153A6ADE; Fri, 22 May 2009 10:24:48 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7YOO-000N7U-Gr for namedroppers-data0@psg.com; Fri, 22 May 2009 17:18:48 +0000 Received: from [74.125.44.30] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7YOA-000N2v-Tm for namedroppers@ops.ietf.org; Fri, 22 May 2009 17:18:41 +0000 Received: by yx-out-2324.google.com with SMTP id 8so1060277yxm.71 for ; Fri, 22 May 2009 10:18:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.81.11 with SMTP id e11mr3318836agb.119.1243012713742; Fri, 22 May 2009 10:18:33 -0700 (PDT) Date: Fri, 22 May 2009 10:18:33 -0700 Message-ID: Subject: [dnsext] Selecting which name server IP address to query From: Matthew Dempsky To: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: What algorithm do existing DNS caches use for deciding what IP addresses to send queries to? E.g., suppose example.com has the following NS, A, and AAAA records: example.com. NS a.ns.example.com. example.com. NS b.ns.example.com. example.com. NS c.ns.example.com. example.com. NS d.ns.exmaple.com. a.ns.example.com. A 42.0.0.1 a.ns.example.com. A 42.0.0.2 a.ns.example.com. AAAA 2001::1 a.ns.example.com. AAAA 2001::2 b.ns.example.com. A 42.0.0.3 b.ns.example.com. AAAA 2001::3 c.ns.example.com. A 42.0.0.4 d.ns.example.com. AAAA 2001::5 How do existing DNS caches decide which IP addresses to query for a name in .example.com? I can imagine a lot of variations on how caches handle the above data set, and I'm just curious to know what existing practices are. I haven't noticed any RFCs describing the expected behavior in this situation, but I might have missed it. E.g., dnscache does not support sending queries over IPv6, so it only uses the A records. It puts all four of them into a list (limited to the first 16 addresses found), randomly shuffles the list weighing each address equally, and then cycles through the resulting list until a name server responds (giving up after a few iterations of the complete list). Also, in the case of d.ns.example.com, it will think the parent server is missing A glue records and spend some extra time trying to track down A records for it until it can cache an authoritative NODATA response for d.ns.example.com/A. Thanks. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 22 10:54:25 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FF9F3A6A4E; Fri, 22 May 2009 10:54:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.077 X-Spam-Level: X-Spam-Status: No, score=-0.077 tagged_above=-999 required=5 tests=[AWL=-0.827, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 439xXmvvsgw5; Fri, 22 May 2009 10:54:24 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 777843A6A5F; Fri, 22 May 2009 10:54:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Ytk-0001xt-BO for namedroppers-data0@psg.com; Fri, 22 May 2009 17:51:12 +0000 Received: from [212.9.189.167] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Yt7-0001tq-Sh for namedroppers@ops.ietf.org; Fri, 22 May 2009 17:50:42 +0000 Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1M7Yt5-00026V-31; Fri, 22 May 2009 19:50:31 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1M7Yt4-0007km-Ly; Fri, 22 May 2009 19:50:30 +0200 From: Florian Weimer To: Matthew Dempsky Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Selecting which name server IP address to query References: Date: Fri, 22 May 2009 19:50:30 +0200 In-Reply-To: (Matthew Dempsky's message of "Fri, 22 May 2009 10:18:33 -0700") Message-ID: <8763ftt4bd.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Matthew Dempsky: > I haven't noticed any RFCs describing the expected > behavior in this situation, RFC 3484 mostly covers this (at least the cold cache case). -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 22 12:18:27 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B0DB3A6AB4; Fri, 22 May 2009 12:18:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.412 X-Spam-Level: X-Spam-Status: No, score=-4.412 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mRRF6aa0kze; Fri, 22 May 2009 12:18:25 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 48C023A6A5F; Fri, 22 May 2009 12:18:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7aCd-000EDR-U9 for namedroppers-data0@psg.com; Fri, 22 May 2009 19:14:47 +0000 Received: from [65.201.175.9] (helo=cliffie.verisignlabs.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7aCR-000E9s-DM for namedroppers@ops.ietf.org; Fri, 22 May 2009 19:14:41 +0000 Received: from monsoon.verisignlabs.com (scooter.bo.labs.vrsn.com [172.25.170.10]) by cliffie.verisignlabs.com (Postfix) with ESMTP id 518EB136680 for ; Fri, 22 May 2009 15:14:34 -0400 (EDT) Received: from dul1mcmlarson-l1.labs.vrsn.com (dul1mcmlarson-l1.labs.vrsn.com [10.131.244.205]) by monsoon.verisignlabs.com (Postfix) with ESMTP id 4CF6924245F for ; Fri, 22 May 2009 15:14:34 -0400 (EDT) Date: Fri, 22 May 2009 15:14:34 -0400 From: Matt Larson To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Selecting which name server IP address to query Message-ID: <20090522191434.GJ5573@dul1mcmlarson-l1.labs.vrsn.com> References: <8763ftt4bd.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8763ftt4bd.fsf@mid.deneb.enyo.de> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, 22 May 2009, Florian Weimer wrote: > * Matthew Dempsky: > > > I haven't noticed any RFCs describing the expected > > behavior in this situation, > > RFC 3484 mostly covers this (at least the cold cache case). Well, yes, it describes the cold case, but it doesn't describe commonly implemented algorithms for name server selection in iterative resolvers, which is I believe what Matthew was asking about. BIND's iterative resolver measures round trip time to servers, keeps state and chooses the server responding the fastest for subsequent queries to zones served by that server. There is a brief description of this algorithm here: http://www.dns.net/dnsrd/trick.html#which-server-queried Last I knew, Microsoft's iterative resolver (in its Windows Server products) had a similar RTT-based algorithm. I believe Unbound also has an RTT-based algorithm (which I should know definitively, but don't). Matthew is correct that there isn't guidance documented anywhere, to my knowledge. The only place in the DNS specifications that touch on this that I'm aware of is Section 5.3.3 of RFC 1034. Note that this entire problem is essentially summarized in that RFC as: 2. Find the best servers to ask. This is yet another gaping hole in the DNSSEC spec, causing each new implementor to reinvent the wheel. Matt -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From dericklv01@valuemail-uk.ecircle-ag.com Fri May 22 12:31:59 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B248928C129; Fri, 22 May 2009 12:31:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.377 X-Spam-Level: **** X-Spam-Status: No, score=4.377 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FB_HEY_BRO_COMMA=7.357, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_BR=0.955, HELO_EQ_DSL=1.129, HELO_EQ_TELESP=1.245, HOST_EQ_BR=1.295, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_NJABL_PROXY=1.643, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, SARE_RECV_SPAM_DOMN02=1.666, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIFU4HU-tmar; Fri, 22 May 2009 12:31:58 -0700 (PDT) Received: from 201-1-108-176.dsl.telesp.net.br (201-1-108-176.dsl.telesp.net.br [201.1.108.176]) by core3.amsl.com (Postfix) with ESMTP id 28DF93A6F55; Fri, 22 May 2009 12:31:54 -0700 (PDT) Message-ID: <000d01c9db13$f59739c0$6400a8c0@dericklv01> From: emu-request@ietf.org To: Subject: Hey guy give yourself a huge edge over the rest Date: Fri, 22 May 2009 16:31:52 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C9DB13.F59739C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C9DB13.F59739C0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hey bro, nice talking to you the other day. Thought you would want to check this out, I got some for myself cause they = were on sale, you should check out the site, I added the link below. Steel Package: 10 Patches reg $79.95 Now $49.95! Free shipping too! Silver Package: 25 Patches reg $129.95, Now $99.95! Free shipping and free = exercise manual included! Gold Package: 40 Patches reg $189.95, Now $149.95! Free shipping and free e= xercise manual included! Platinum Package: 65 Patches reg $259.95, Now $199.95! Free shipping and fr= ee exercise manual included! (Best Value!) I know like 10 guys who have already stocked up on these. Here's the link to check out bro! Talk to you soon! ------=_NextPart_000_0007_01C9DB13.F59739C0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hey bro, nice talking to you the other day.

Thought you would want to check this out, I got some for myself cause they = were on sale, you should check out the site, I added the link below.
Steel Package: 10 Patches reg $79.95 Now $49.= 95! Free shipping too!

Silver Package: 25 Patches reg $129.95, Now $99.95! Free ship= ping and free exercise manual included!

Gold Package: 40 Patches reg $189.95, Now $149.95! Free shipp= ing and free exercise manual included!

Platinum Package: 65 Patches reg $259.95, Now $199.95! Free s= hipping and free exercise manual included! (Best Value!)<= br>
I know like 10 guys who have already stocked up on these.

Here's the link to check ou= t bro!

Talk to you soon!




------=_NextPart_000_0007_01C9DB13.F59739C0-- From cgum@telkom.co.za Fri May 22 12:52:59 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E479728C1C5; Fri, 22 May 2009 12:52:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.391 X-Spam-Level: X-Spam-Status: No, score=-7.391 tagged_above=-999 required=5 tests=[BAYES_99=3.5, HELO_EQ_MODEMCABLE=0.768, HELO_EQ_MX=0.535, HOST_EQ_MODEMCABLE=1.368, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CpJ+yuvOCmbX; Fri, 22 May 2009 12:52:59 -0700 (PDT) Received: from host-84-205.cablextremo.com.mx (host-84-205.cablextremo.com.mx [201.158.84.205]) by core3.amsl.com (Postfix) with SMTP id 628E428C1B7; Fri, 22 May 2009 12:51:03 -0700 (PDT) X-Originating-IP: 144.128.148.156 by 206.221.169.207; Fri, 22 May 2009 17:44:43 -0300 Message-ID: From: "Kitty Pugh" To: "Araceli Otero" Subject: Why get an original watch? Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Date: Fri, 22 May 2009 15:52:43 -0500 Hello Jennie I had never seen such beautiful and greatly-performing watches like the ones I found online at http://www.golddnes.com/ With top notch customer service and super warranty, we stand behind our watches. http://www.golddnes.com/ Our Gucci have all appropriate markings, wordings and engravings same as orginal. Sincerely, Mr Burke From owner-namedroppers@ops.ietf.org Fri May 22 14:00:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F96A3A6E0F; Fri, 22 May 2009 14:00:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.473 X-Spam-Level: X-Spam-Status: No, score=-0.473 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXgaa5OQza5X; Fri, 22 May 2009 14:00:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 94D403A6A29; Fri, 22 May 2009 14:00:00 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7blB-0002yh-9x for namedroppers-data0@psg.com; Fri, 22 May 2009 20:54:33 +0000 Received: from [209.85.219.173] (helo=mail-ew0-f173.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7bky-0002tK-6R for namedroppers@ops.ietf.org; Fri, 22 May 2009 20:54:26 +0000 Received: by ewy21 with SMTP id 21so2174418ewy.41 for ; Fri, 22 May 2009 13:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=k9plEx5XSuwE0lg2x1MYyIwNGKjRD1RtdI/EM3GkGe8=; b=G1X1kWAr/dEXKeZoM6HX+2rz4gHUdv26nhsrXIJ5rIYIP4FJM+VZXGZpc65HRB2Mtw 0f1SyUlEgmOCaancHToNOfwFVnqQmWAuRosSmOnlqT3m9VkOFs5EqDNaEgkp+QzwT12Y 4TROH/bJT44ll84oy34RvvQtngM3rRLBPl6eg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=nf7+Q2LXkTrSmuBsZ+WSk311oyBQhv5LRqd7KfAig3V+L7dvQh85K+XBx7VawEOv6T W4+wIP4AYisxtndLU6bmNJO38mzQkFeMToLyTOH+qbFSn97S/u6I70+LHoTZVIKqo2VD LaCXeQaCGXKww7HqjnaU62IkTmr1Swn/mUNac= MIME-Version: 1.0 Received: by 10.210.53.1 with SMTP id b1mr5249021eba.85.1243025659062; Fri, 22 May 2009 13:54:19 -0700 (PDT) In-Reply-To: <20090522191434.GJ5573@dul1mcmlarson-l1.labs.vrsn.com> References: <8763ftt4bd.fsf@mid.deneb.enyo.de> <20090522191434.GJ5573@dul1mcmlarson-l1.labs.vrsn.com> From: bert hubert Date: Fri, 22 May 2009 22:53:59 +0200 Message-ID: <3efd34cc0905221353u6e4d0428g5703e3fa365dff6e@mail.gmail.com> Subject: Re: [dnsext] Selecting which name server IP address to query To: Matt Larson Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, May 22, 2009 at 9:14 PM, Matt Larson wrote: > BIND's iterative resolver measures round trip time to servers, keeps > state and chooses the server responding the fastest for subsequent > queries to zones served by that server. =A0There is a brief description > of this algorithm here: PowerDNS is both cool (I think) and weird in this respect. PowerDNS measures RTT, and selects the server with the lowest RTT. Unknown servers have a 0 RTT. The measured RTT decays over time, so a server that 'used to be slow' gets a chance to prove itself after a while (because it is considered to become 'faster' over time). A timeout is accounted as a 1000ms RTT. In addition, servers that don't answer get throttled anyhow. What is not cool is that statistics are kept per nameserver *name* - which is somewhat of a chicken and egg problem. When confronted with 10 nameserver names, PowerDNS may remember one of them being really fast, only to discover later on that we forgot its IP address. The statistics per name are counted as the fastest IP address we used to know for that name. These decay individually, so all IP addresses get a chance over time. This includes IPv6 addresses on a strictly equal basis. > Matthew is correct that there isn't guidance documented anywhere, to > my knowledge. =A0The only place in the DNS specifications that touch on > this that I'm aware of is Section 5.3.3 of RFC 1034. =A0Note that this > entire problem is essentially summarized in that RFC as: > > =A0 2. Find the best servers to ask. Guidance is fine by me, but I'd hate for an RFC to stifle innovation by proscribing certain behaviour. This is as true as it is for legislation ('real laws') as it is for standards. > This is yet another gaping hole in the DNSSEC spec, causing each new > implementor to reinvent the wheel. For DNSSEC, you'd also care about being 'security lame' etc, further complicating things. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 22 17:22:35 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 420833A6BD0; Fri, 22 May 2009 17:22:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.129 X-Spam-Level: X-Spam-Status: No, score=-2.129 tagged_above=-999 required=5 tests=[AWL=-0.130, BAYES_00=-2.599, J_CHICKENPOX_83=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7Vf+L47BjMr; Fri, 22 May 2009 17:22:34 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 36FE73A6A8C; Fri, 22 May 2009 17:22:34 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7eug-0004DT-W1 for namedroppers-data0@psg.com; Sat, 23 May 2009 00:16:34 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7euQ-0004C1-BP for namedroppers@ops.ietf.org; Sat, 23 May 2009 00:16:26 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id BC2DCA2EDC for ; Sat, 23 May 2009 00:16:17 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Selecting which name server IP address to query In-Reply-To: Your message of "Fri\, 22 May 2009 22\:53\:59 +0200." <3efd34cc0905221353u6e4d0428g5703e3fa365dff6e@mail.gmail.com> References: <8763ftt4bd.fsf@mid.deneb.enyo.de> <20090522191434.GJ5573@dul1mcmlarson-l1.labs.vrsn.com> <3efd34cc0905221353u6e4d0428g5703e3fa365dff6e@mail.gmail.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Sat, 23 May 2009 00:16:17 +0000 Message-ID: <92185.1243037777@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: bert hubert > Date: Fri, 22 May 2009 22:53:59 +0200 >=20 > PowerDNS is both cool (I think) and weird in this respect. PowerDNS > measures RTT, and selects the server with the lowest RTT. Unknown > servers have a 0 RTT. >=20 > The measured RTT decays over time, so a server that 'used to be slow' > gets a chance to prove itself after a while (because it is considered to > become 'faster' over time). A timeout is accounted as a 1000ms RTT. In > addition, servers that don't answer get throttled anyhow. since many servers have a legitimate TTL in the 5 to 10 second range, what does this do to your server selection if nonanswer is recorded as 1 second for the purpose of comparison? > What is not cool is that statistics are kept per nameserver *name* - > which is somewhat of a chicken and egg problem. When confronted with 10 > nameserver names, PowerDNS may remember one of them being really fast, > only to discover later on that we forgot its IP address. >=20 > The statistics per name are counted as the fastest IP address we used > to know for that name. These decay individually, so all IP addresses > get a chance over time. This includes IPv6 addresses on a strictly > equal basis. since multiple addresses used to (before anycasting and loadbalancing) mean a multihomed server, it's good in my opinion to treat the addresses separately for most purposes. one optimization that always seemed useful to me is that if one of a server's addresses is SERVFAIL'ing for a zone, it's not necessary to query any of the server's other addresses when making queries in that zone. (but it's only an optimization -- so if your NS RR has expired and you don't know what other addresses belong to the same server and you have to go get a SERVFAIL from each of them in turn, it's no big deal.) > > Matthew is correct that there isn't guidance documented anywhere, to my > > knowledge. =A0The only place in the DNS specifications that touch on th= is > > that I'm aware of is Section 5.3.3 of RFC 1034. =A0Note that this entire > > problem is essentially summarized in that RFC as: > > > > =A0 2. Find the best servers to ask. >=20 > Guidance is fine by me, but I'd hate for an RFC to stifle innovation > by proscribing certain behaviour. This is as true as it is for > legislation ('real laws') as it is for standards. agreed. the algo described above for powerdns is basically what BIND has done since 1986, but i always thought of it as a BCP or FYI, and not an STD. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From muniz@dmrh.com.br Fri May 22 20:16:24 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABFC83A6A60; Fri, 22 May 2009 20:16:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.578 X-Spam-Level: X-Spam-Status: No, score=-1.578 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HOST_EQ_D_D_D_D=0.765, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DYNAMIC=1.144, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PK-0f0ap61pE; Fri, 22 May 2009 20:16:24 -0700 (PDT) Received: from net128.181.94-19.dynamic.omskdom.ru (net128.181.94-19.dynamic.omskdom.ru [94.181.128.19]) by core3.amsl.com (Postfix) with SMTP id DD6833A6A4D; Fri, 22 May 2009 20:15:48 -0700 (PDT) From: "Irene Mendez" To: "Flora Dugan" Message-ID: Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Date: Fri, 22 May 2009 23:17:30 -0500 Subject: Watches for him, her and you Hello Flora If you've waited to get your Patek Phillipe watch, this is the right time to go for it. http://www.shop-repliq.com/ We are offering wholesaler prices on all watches during the month of May. http://www.shop-repliq.com/ Our Patek Phillipe watches have perfect weight and feel same as orginal. Sincerely, Mr Dugan From sullivan@shawnwood.com Sat May 23 07:33:07 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 56BA43A6A9A; Sat, 23 May 2009 07:33:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.866 X-Spam-Level: X-Spam-Status: No, score=-4.866 tagged_above=-999 required=5 tests=[BAYES_95=3, DNS_FROM_RFC_BOGUSMX=1.482, HELO_EQ_DSL=1.129, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7HVz1J+LqIs; Sat, 23 May 2009 07:33:06 -0700 (PDT) Received: from aedp8.neoplus.adsl.tpnet.pl (aedp8.neoplus.adsl.tpnet.pl [79.186.93.8]) by core3.amsl.com (Postfix) with SMTP id 7128A3A6906; Sat, 23 May 2009 07:32:49 -0700 (PDT) From: "Wilmer Kelley" To: "Beverley Avila" Message-ID: Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Date: Sat, 23 May 2009 10:34:31 -0500 Subject: Superior rep watches for you Hello Beverley I had never seen such beautiful and greatly-performing watches like the ones I found online at http://www.exclussiveq.com/ Get two deeply discounted watches and take an extra 15% discount. http://www.exclussiveq.com/ Our Vacheron Constantin watches have perfect weight and feel same as orginal. Sincerely, Mr Avila From scotchmanu17@atmtesting.net Sat May 23 10:09:44 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5FA123A6DEE for ; Sat, 23 May 2009 10:09:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.386 X-Spam-Level: X-Spam-Status: No, score=-8.386 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DIET_1=0.083, FH_FAKE_RCVD_LINE_B=5.777, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_DSL=1.129, HS_INDEX_PARAM=0.001, HTML_FONT_SIZE_HUGE=0.057, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_NJABL_PROXY=1.643, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SUBJECT_DIET=1.466, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYvvOW-ci6gI for ; Sat, 23 May 2009 10:09:43 -0700 (PDT) Received: from 231-149-223-201.adsl.terra.cl (231-149-223-201.adsl.terra.cl [201.223.149.231]) by core3.amsl.com (Postfix) with ESMTP id E0C4E3A6DBB for ; Sat, 23 May 2009 10:09:42 -0700 (PDT) Received: from 201.223.149.231 by daredevil.mousesupport.net; Sat, 23 May 2009 19:11:18 +0100 Date: Sat, 23 May 2009 19:11:18 +0100 From: dnsext-archive@lists.ietf.org X-Mailer: The Bat! (v3.0.1.33) Educational X-Priority: 3 (Normal) Message-ID: <165639383.50233553562108@atmtesting.net> To: dnsext-archive@lists.ietf.org Subject: Acai Berry not only makes you lose weight but can make you feel great!! MIME-Version: 1.0 Content-Type: text/html; charset=Windows-1252 Content-Transfer-Encoding: 7bit
If you have trouble viewing this e-mail, please click here.

Everyone
Will Want
Your New Secret

ACAI POWER SLIM

Discover the secret today!
Click here for details

To review our Privacy Policy, please click here.

To ensure the delivery of your informative updates from Dr. Lark and the Daily Balance
Team, please add dnsext-archive@lists.ietf.org to your email address book.

************TO UNSUBSCRIBE************
You are receiving this e-mail at dnsext-archive@lists.ietf.org because you
indicated an interest in receiving special updates and offers from Dr. Lark.
We hope that you find these updates helpful, but if you would rather not
receive them, you can unsubscribe by clicking here. You will be
immediately unsubscribed from our database. Remember, your personal information
will only be used by Healthy Directions, LLC, for editorial and marketing purposes.
Thank you.

Daily Balance
700 Indian Springs Drive
Lancaster, PA 17601

From opportunisticwvh8@su2k.com Sat May 23 10:13:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C46C3A6BF8; Sat, 23 May 2009 10:13:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.996 X-Spam-Level: X-Spam-Status: No, score=-16.996 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_FAKE_RCVD_LINE_B=5.777, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, FS_WILL_HELP=2.749, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_BR=0.955, HOST_EQ_BR=1.295, HS_INDEX_PARAM=0.001, HTML_FONT_SIZE_HUGE=0.057, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1+ZkijLf2VcK; Sat, 23 May 2009 10:13:53 -0700 (PDT) Received: from 200-207-171-196.dial-up.telesp.net.br (200-207-171-196.dial-up.telesp.net.br [200.207.171.196]) by core3.amsl.com (Postfix) with ESMTP id 0AEBB3A67A5; Sat, 23 May 2009 10:13:49 -0700 (PDT) Received: from 200.207.171.196 by mail.su2k.com; Sat, 23 May 2009 14:15:11 -0300 Date: Sat, 23 May 2009 14:15:11 -0300 From: disman-bounces@ietf.org X-Mailer: The Bat! (v3.71.14) Educational X-Priority: 3 (Normal) Message-ID: <802776508.01821560401954@su2k.com> To: disman-bounces@ietf.org Subject: Acai Berry will help you score in life , Get your trial now. MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 090522-0, 22/05/2009), Outbound message X-Antivirus-Status: Clean
If you have trouble viewing this e-mail, please click here.

Everyone
Will Want
Your New Secret

ACAI POWER SLIM

Discover the secret today!
Click here for details

To review our Privacy Policy, please click here.

To ensure the delivery of your informative updates from Dr. Lark and the Daily Balance
Team, please add disman-bounces@ietf.org to your email address book.

************TO UNSUBSCRIBE************
You are receiving this e-mail at disman-bounces@ietf.org because you
indicated an interest in receiving special updates and offers from Dr. Lark.
We hope that you find these updates helpful, but if you would rather not
receive them, you can unsubscribe by clicking here. You will be
immediately unsubscribed from our database. Remember, your personal information
will only be used by Healthy Directions, LLC, for editorial and marketing purposes.
Thank you.

Daily Balance
700 Indian Springs Drive
Lancaster, PA 17601

From bitich@gofree.indigo.ie Sat May 23 11:16:15 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 102113A6B51; Sat, 23 May 2009 11:16:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.977 X-Spam-Level: X-Spam-Status: No, score=0.977 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR2=4.395, HOST_EQ_DHCP=1.295, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SBL=20, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vl0ml4uS5Rzq; Sat, 23 May 2009 11:16:14 -0700 (PDT) Received: from 207-255-246-120-dhcp.wrn.pa.atlanticbb.net (207-255-246-120-dhcp.wrn.pa.atlanticbb.net [207.255.246.120]) by core3.amsl.com (Postfix) with SMTP id DBE2A3A6835; Sat, 23 May 2009 11:15:51 -0700 (PDT) From: "Derek Corcoran" To: "Marguerite Roper" Subject: Franck Muller reps better than originals Date: Sat, 23 May 2009 14:17:34 -0500 Message-ID: <62Vmxt.y354K398aaa-archive@lists.ietf.org> Content-Type: text/plain; Content-Transfer-Encoding: 7Bit Hello Romeo If you've waited to get your Chopard watch, this is the right time to go for it. http://www.reppzlis.com/ We are offering wholesaler prices on all watches during the month of May. http://www.reppzlis.com/ Our Chopard have Weights/feels and looks exactly same as original. Sincerely, Mr Piper From untanglesorj024@samicicekoto.com Sat May 23 14:59:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 802E63A67A5; Sat, 23 May 2009 14:59:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.52 X-Spam-Level: X-Spam-Status: No, score=-4.52 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DIET_1=0.083, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, FS_START_LOSE=1.493, GB_I_LETTER=-2, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_CPE=0.5, HOST_EQ_CPE=0.979, HS_INDEX_PARAM=0.001, HTML_IMAGE_ONLY_32=1.778, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_UNA=1.231, SARE_URI_LET_DIG_PIC=1.157, SUBJECT_DIET=1.466, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Ssi+igLVL-L; Sat, 23 May 2009 14:59:19 -0700 (PDT) Received: from cpe-173-88-129-126.neo.res.rr.com (cpe-173-88-129-126.neo.res.rr.com [173.88.129.126]) by core3.amsl.com (Postfix) with ESMTP id A49A83A67DA; Sat, 23 May 2009 14:59:18 -0700 (PDT) Message-ID: <000d01c9dbf1$f327c180$6400a8c0@untanglesorj024> From: emu-request@ietf.org To: Subject: Lose weight FAST! Date: Sat, 23 May 2009 18:00:56 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C9DBF1.F327C180" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C9DBF1.F327C180 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable If you cannot see this=20 email, click here to view the web=20 version =20 =20 =20 =20 =20 =20 =20 22.05.2009=20 =20 =20 Product=20 news=20 =20 =20 =20 Register for Emails | Email=20 the Editor | Advertising=20 EnquiriesChemist+Druggist is published by CMPMedica - Healthcare divi= sion of=20 UBMCompany number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UYTo change any of your C+D website=20 account details click=20 hereIf you would prefer not to receive newsletter emails from=20 Chemist+Druggist please click here ------=_NextPart_000_0007_01C9DBF1.F327C180 Content-Type: text/html; charset="windows-1250" Content-Transfer-Encoding: quoted-printable
If you cann= ot see this=20 email, click here to view the web=20 version
 <= /TABLE> ------=_NextPart_000_0007_01C9DBF1.F327C180-- From kyuynjukqi@3hoek.com Sat May 23 21:45:27 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2FB823A6941 for ; Sat, 23 May 2009 21:45:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -26.507 X-Spam-Level: X-Spam-Status: No, score=-26.507 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_HELO_ALMOST_IP=5.417, FH_HOST_ALMOST_IP=1.889, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_HCC=4.295, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_2=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_RHS_DOB=1.083, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wgb0A0cbQcvz for ; Sat, 23 May 2009 21:45:26 -0700 (PDT) Received: from cablelink-173-185-27.cpe.intercable.net (cablelink-173-185-27.cpe.intercable.net [201.173.185.27]) by core3.amsl.com (Postfix) with SMTP id 58A7C3A68DD for ; Sat, 23 May 2009 21:45:21 -0700 (PDT) To: " Date: Sat, 23 May 2009 21:45:21 -0700 (PDT)

=20

2= 2.05.2009


Product=20 news


Register for Emails | Email=20 the Editor | Adverti= sing=20 Enquiries

Chemist+Druggist is published by CMPMedica - Healthcare division of=20 UBM
Company number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UY
To change any of your C+D website= =20 account details click=20 here
If you would prefer not to receive newsletter emails from= =20 Chemist+Druggist please click here


THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From morton@acmebrick.com Sun May 24 06:41:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C82703A6C42 for ; Sun, 24 May 2009 06:41:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -11.236 X-Spam-Level: X-Spam-Status: No, score=-11.236 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feNxvl1l9p+X for ; Sun, 24 May 2009 06:41:38 -0700 (PDT) Received: from 093105113233.siedlce.vectranet.pl (093105113233.siedlce.vectranet.pl [93.105.113.233]) by core3.amsl.com (Postfix) with SMTP id 9EE9F3A6A14 for ; Sun, 24 May 2009 06:41:31 -0700 (PDT) To: " Date: Sun, 24 May 2009 06:41:31 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From kuanym@ahm.honda.com Sun May 24 07:45:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECF533A6BF4 for ; Sun, 24 May 2009 07:45:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.234 X-Spam-Level: X-Spam-Status: No, score=-9.234 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, HELO_EQ_BR=0.955, HOST_EQ_BR=1.295, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_2=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8VKo3cRVTvh for ; Sun, 24 May 2009 07:45:06 -0700 (PDT) Received: from 20158196186.user.veloxzone.com.br (20158196186.user.veloxzone.com.br [201.58.196.186]) by core3.amsl.com (Postfix) with SMTP id 390F73A6AF1 for ; Sun, 24 May 2009 07:45:03 -0700 (PDT) To: " Date: Sun, 24 May 2009 07:45:03 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From quietestarmv2@tuboget.com Sun May 24 14:15:04 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 304913A67CF; Sun, 24 May 2009 14:15:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -46.535 X-Spam-Level: X-Spam-Status: No, score=-46.535 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DIET_1=0.083, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, FS_START_LOSE=1.493, GB_I_LETTER=-2, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_CPE=0.5, HOST_EQ_CPE=0.979, HS_INDEX_PARAM=0.001, HTML_IMAGE_ONLY_32=1.778, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_UNA=1.231, SARE_URI_LET_DIG_PIC=1.157, SUBJECT_DIET=1.466, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8pJn3etoh4p; Sun, 24 May 2009 14:15:03 -0700 (PDT) Received: from cpe-74-71-171-128.twcny.res.rr.com (cpe-74-71-171-128.twcny.res.rr.com [74.71.171.128]) by core3.amsl.com (Postfix) with ESMTP id 3794628C0DF; Sun, 24 May 2009 14:15:01 -0700 (PDT) Message-ID: <000d01c9dcb4$e9625750$6400a8c0@quietestarmv2> From: aaa-archive@lists.ietf.org To: Subject: Lose weight with this Trial Date: Sun, 24 May 2009 17:16:32 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C9DCB4.E9625750" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C9DCB4.E9625750 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable If you cannot see this=20 email, click here to view the web=20 version =20 =20 =20 =20 =20 =20 =20 22.05.2009=20 =20 =20 Product=20 news=20 =20 =20 =20 Register for Emails | Email=20 the Editor | Advertising=20 EnquiriesChemist+Druggist is published by CMPMedica - Healthcare divi= sion of=20 UBMCompany number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UYTo change any of your C+D website=20 account details click=20 hereIf you would prefer not to receive newsletter emails from=20 Chemist+Druggist please click here ------=_NextPart_000_0007_01C9DCB4.E9625750 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
If you cann= ot see this=20 email, click here to view the web=20 version
 <= /TABLE> ------=_NextPart_000_0007_01C9DCB4.E9625750-- From filtratingz22@mistec-isp.com Sun May 24 14:41:57 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 076FE3A6C95; Sun, 24 May 2009 14:41:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.336 X-Spam-Level: X-Spam-Status: No, score=-8.336 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, FS_WILL_HELP=2.749, GB_I_LETTER=-2, HELO_DYNAMIC_IPADDR2=4.395, HS_INDEX_PARAM=0.001, HTML_IMAGE_ONLY_32=1.778, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RDNS_DYNAMIC=0.1, SARE_UNA=1.231, SARE_URI_LET_DIG_PIC=1.157, TVD_RCVD_IP=1.931, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mEdeAadnJUoF; Sun, 24 May 2009 14:41:50 -0700 (PDT) Received: from 75-169-179-222.slkc.qwest.net (75-169-169-53.slkc.qwest.net [75.169.169.53]) by core3.amsl.com (Postfix) with ESMTP id 1E1643A6855; Sun, 24 May 2009 14:41:49 -0700 (PDT) Message-ID: <000d01c9dcb8$a1001480$6400a8c0@filtratingz22> From: action@ietf.org To: Subject: Acai Berry will help you score in life , Get your trial now. Date: Sun, 24 May 2009 15:43:09 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C9DCB8.A1001480" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C9DCB8.A1001480 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable If you cannot see this=20 email, click here to view the web=20 version =20 =20 =20 =20 =20 =20 =20 22.05.2009=20 =20 =20 Product=20 news=20 =20 =20 =20 Register for Emails | Email=20 the Editor | Advertising=20 EnquiriesChemist+Druggist is published by CMPMedica - Healthcare divi= sion of=20 UBMCompany number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UYTo change any of your C+D website=20 account details click=20 hereIf you would prefer not to receive newsletter emails from=20 Chemist+Druggist please click here ------=_NextPart_000_0007_01C9DCB8.A1001480 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
If you cann= ot see this=20 email, click here to view the web=20 version

=20

2= 2.05.2009


Product=20 news


Register for Emails | Email=20 the Editor | Adverti= sing=20 Enquiries

Chemist+Druggist is published by CMPMedica - Healthcare division of=20 UBM
Company number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UY
To change any of your C+D website= =20 account details click=20 here
If you would prefer not to receive newsletter emails from= =20 Chemist+Druggist please click here

<= /TABLE> ------=_NextPart_000_0007_01C9DCB8.A1001480-- From oscillationsjwe42@techcommunicators.com Sun May 24 15:14:41 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DD973A6DBF; Sun, 24 May 2009 15:14:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -49.264 X-Spam-Level: X-Spam-Status: No, score=-49.264 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, GB_I_LETTER=-2, HELO_DYNAMIC_DHCP=1.398, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_CPE=0.5, HOST_EQ_CPE=0.979, HS_INDEX_PARAM=0.001, HTML_IMAGE_ONLY_32=1.778, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_UNA=1.231, SARE_URI_LET_DIG_PIC=1.157, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3ZIXJd6CaLY; Sun, 24 May 2009 15:14:35 -0700 (PDT) Received: from cpe-76-188-79-95.neo.res.rr.com (cpe-76-188-79-95.neo.res.rr.com [76.188.79.95]) by core3.amsl.com (Postfix) with ESMTP id C08B23A6D0B; Sun, 24 May 2009 15:14:35 -0700 (PDT) Message-ID: <000d01c9dcbd$312ad4b0$6400a8c0@oscillationsjwe42> From: aaa-archive@lists.ietf.org To: Subject: Acai berry, Your ticket to a new life Date: Sun, 24 May 2009 18:15:48 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C9DCBD.312AD4B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C9DCBD.312AD4B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable If you cannot see this=20 email, click here to view the web=20 version =20 =20 =20 =20 =20 =20 =20 22.05.2009=20 =20 =20 Product=20 news=20 =20 =20 =20 Register for Emails | Email=20 the Editor | Advertising=20 EnquiriesChemist+Druggist is published by CMPMedica - Healthcare divi= sion of=20 UBMCompany number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UYTo change any of your C+D website=20 account details click=20 hereIf you would prefer not to receive newsletter emails from=20 Chemist+Druggist please click here ------=_NextPart_000_0007_01C9DCBD.312AD4B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
If you cann= ot see this=20 email, click here to view the web=20 version

=20

2= 2.05.2009


Product=20 news


Register for Emails | Email=20 the Editor | Adverti= sing=20 Enquiries

Chemist+Druggist is published by CMPMedica - Healthcare division of=20 UBM
Company number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UY
To change any of your C+D website= =20 account details click=20 here
If you would prefer not to receive newsletter emails from= =20 Chemist+Druggist please click here

<= /TABLE> ------=_NextPart_000_0007_01C9DCBD.312AD4B0-- From assessedvkf2860@sohla.com Sun May 24 19:42:58 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 937D23A6CEE for ; Sun, 24 May 2009 19:42:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -22.61 X-Spam-Level: X-Spam-Status: No, score=-22.61 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_FAKE_RCVD_LINE_B=5.777, HELO_DYNAMIC_HCC=4.295, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HS_INDEX_PARAM=0.001, HTML_FONT_SIZE_HUGE=0.057, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3t+1lN703zAW for ; Sun, 24 May 2009 19:42:57 -0700 (PDT) Received: from cpc3-nthc9-0-0-cust106.nrth.cable.ntl.com (cpc3-nthc9-0-0-cust106.nrth.cable.ntl.com [82.29.8.107]) by core3.amsl.com (Postfix) with ESMTP id D4CC03A6CA0 for ; Sun, 24 May 2009 19:42:42 -0700 (PDT) Received: from 82.29.8.107 by mail.sohla.com; Mon, 25 May 2009 03:44:15 +0000 Date: Mon, 25 May 2009 03:44:15 +0000 From: dnsext-archive@lists.ietf.org X-Mailer: The Bat! (v3.62.03) Professional X-Priority: 3 (Normal) Message-ID: <345546173.11338670009066@sohla.com> To: dnsext-archive@lists.ietf.org Subject: weight and cleansing their bodies faster than most other products on the market MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit
If you have trouble viewing this e-mail, please click here.

=20

2= 2.05.2009


Product=20 news


Register for Emails | Email=20 the Editor | Adverti= sing=20 Enquiries

Chemist+Druggist is published by CMPMedica - Healthcare division of=20 UBM
Company number 370721. Registered office: Ludgate House, 245=20 Blackfriars Road, London SE1 9UY
To change any of your C+D website= =20 account details click=20 here
If you would prefer not to receive newsletter emails from= =20 Chemist+Druggist please click here

Everyone
Will Want
Your New Secret

ACAI POWER SLIM

Discover the secret today!
Click here for details

To review our Privacy Policy, please click here.

To ensure the delivery of your informative updates from Dr. Lark and the Daily Balance
Team, please add dnsext-archive@lists.ietf.org to your email address book.

************TO UNSUBSCRIBE************
You are receiving this e-mail at dnsext-archive@lists.ietf.org because you
indicated an interest in receiving special updates and offers from Dr. Lark.
We hope that you find these updates helpful, but if you would rather not
receive them, you can unsubscribe by clicking here. You will be
immediately unsubscribed from our database. Remember, your personal information
will only be used by Healthy Directions, LLC, for editorial and marketing purposes.
Thank you.

Daily Balance
779 Indian Springs Drive
Lancaster, PA 31543

From owner-namedroppers@ops.ietf.org Sun May 24 21:31:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 656203A69A1; Sun, 24 May 2009 21:31:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -97.54 X-Spam-Level: X-Spam-Status: No, score=-97.54 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, CHARSET_FARAWAY_HEADER=3.2, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p+wZ8KbCH28d; Sun, 24 May 2009 21:31:15 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 71E4A3A6CE2; Sun, 24 May 2009 21:30:49 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M8RiS-000Cp4-5H for namedroppers-data0@psg.com; Mon, 25 May 2009 04:23:12 +0000 Received: from [2001:4f8:3:36::162] (helo=mon.jinmei.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M8Rgw-000CfC-N2 for namedroppers@ops.ietf.org; Mon, 25 May 2009 04:21:51 +0000 Received: from jmb.jinmei.org (user-64-9-237-72.googlewifi.com [64.9.237.72]) by mon.jinmei.org (Postfix) with ESMTPA id 6481E33C59; Sun, 24 May 2009 21:21:37 -0700 (PDT) Date: Sun, 24 May 2009 21:21:37 -0700 Message-ID: From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= To: Matthew Dempsky Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Selecting which name server IP address to query In-Reply-To: References: User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.1 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At Fri, 22 May 2009 10:18:33 -0700, Matthew Dempsky wrote: > What algorithm do existing DNS caches use for deciding what IP > addresses to send queries to? > > E.g., suppose example.com has the following NS, A, and AAAA records: > > example.com. NS a.ns.example.com. > example.com. NS b.ns.example.com. > example.com. NS c.ns.example.com. > example.com. NS d.ns.exmaple.com. > > a.ns.example.com. A 42.0.0.1 > a.ns.example.com. A 42.0.0.2 > a.ns.example.com. AAAA 2001::1 > a.ns.example.com. AAAA 2001::2 > > b.ns.example.com. A 42.0.0.3 > b.ns.example.com. AAAA 2001::3 > > c.ns.example.com. A 42.0.0.4 > > d.ns.example.com. AAAA 2001::5 I don't know how much of detail you'd like to know, but you may be interested in the description and analysis of this paper: http://www.sonycsl.co.jp/~kjc/papers/placement.pdf I also described BIND9's selection algorithm in more detail in a book I coauthored. In case you're interested in this level of details (it should be easily applicable to your example) I've pasted the relevant part below (it includes latex markups and some unresolvable references but I believe it's reasonably readable) where "dns-server-selection" is the paper I referenced above. --- JINMEI, Tatuya Internet Systems Consortium, Inc. The BIND9 caching server implementation maintains a \textit{smoothed round trip time} (SRTT) for each remote authoritative server address to determine in which order the caching server should try the authoritative servers of a given zone~\cite{dns-server-selection}\footnote{As noted in \cite{dns-server-selection}, older versions of BIND9 did not use an SRTT.}. The selection algorithm prefers remote servers with smaller SRTT values since they should be more responsive than others. In particular, it ensures that a server that is likely to be down or unreachable will not be tried first for some period, thereby making the entire resolution process faster. Here is an example of server address selection. Assume a caching server tries to resolve a name under the \verb;example; domain and gets the following response from the root server: \begin{verbatim} example. NS ns1.example. example. NS ns2.example. ns1.example. A 192.0.2.1 (15ms) ns1.example. AAAA 2001:db8::1 (10ms) ns2.example. A 192.0.2.2 (20ms) ns2.example. AAAA 2001:db8::2 (30ms) \end{verbatim} Also suppose the current SRTT values of each address are the ones shown with the glue records, which are 15ms, 10ms, 20ms, and 30ms (from top to bottom). Then the address selection routine in the BIND9 implementation constructs a temporary data structure corresponding to these addresses with their known SRTT values as follows: The names of the nameservers (i.e., the RDATA of the NS records) compose a list, and each entry of the list is also a list of IPv4 and IPv6 addresses (i.e., the RDATA of the glue A and AAAA records). Each entry of the address list also stores the known SRTT value of the address. Next the address selection routine sorts the addresses as follows: \begin{itemize} \item It first sorts the list of addresses for each nameserver in ascending order regarding SRTT. That is, the \textit{nearest} address will be placed at the head of the list. \item Then the routine sorts the list of the nameservers based on the SRTT of the head entry of their address lists. \end{itemize} The next step is to choose an address in this list for an outgoing query. The decision is made as follows: It begins with the head entry of the address list in the head entry of the nameserver list. The chosen address entry is marked, and is used as the destination address of the query. The entry of the nameserver list that contains the chosen address is remembered for possible retries of the same query. In the second try, due to some failure in the first attempt, the search moves to the next entry to the recorded entry of the nameserver list, and chooses the first unmarked address entry within its internal list. Again, the chosen address entry is marked, and this address is used as the source address. When the search reaches the end of the nameserver list, it moves back to the head entry of the list and finds the first unmarked entry within its internal list. As a result, the first query will be sent to \verb;2001:db8::1;. If it fails due to an erroneous response or timeout, \verb;192.0.2.2;, \verb;192.0.2.1;, and \verb;2001:db8::2; will be tried in this order. It should be noted that the second query will be sent to \verb;192.0.2.2;, while its SRTT is larger than that of \verb;192.0.2.1;. This probably comes from the observation that the same server name (such as \verb;ns1.example;) is likely to specify the same server, and that if one of the addresses does not work others will likely not either. Sending a query to the selected address may fail for various reasons. One common case is that the querying server runs a dual-stack kernel supporting both IPv4 and IPv6 but does not have IPv6 connectivity. Usually the server implementation will notice the failure from the result of the sending system call (which is \verb;sendmsg(); in the case of BIND9) and can move to a different address quickly. In addition, the SRTT of the address for which \verb;sendmsg(); fails is penalized so that the preference level of this address for succeeding queries will be lowered. The BIND9 implementation initializes the SRTT of each server address with a random value. Considering some top level authoritative servers have IPv6 addresses (i.e., AAAA glue records) as was seen in Section \ref{chap2-3subsec:edns0}, this means that an IPv6 address can be the first candidate even on a caching server without IPv6 connectivity. The immediate fall back described above is thus crucial for smooth operation. In fact, until version 9.2.5 and 9.3.1, BIND9 did not handle erroneous results of \verb;sendmsg();, occasionally causing a few seconds of delay in name resolution under the \verb;com; domain. This had been a well-known trouble for some period of time. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From dnsk@geocities.com Mon May 25 06:46:47 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0AD4E3A6B8E for ; Mon, 25 May 2009 06:46:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -48.415 X-Spam-Level: X-Spam-Status: No, score=-48.415 tagged_above=-999 required=5 tests=[BAYES_99=3.5, GB_I_LETTER=-2, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, HS_INDEX_PARAM=0.001, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001, MANGLED_OFF=2.3, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Rl94afwr00i for ; Mon, 25 May 2009 06:46:40 -0700 (PDT) Received: from amerblind.outbound.ed10.com (ablutionsless-encore.volia.net [93.72.223.236]) by core3.amsl.com (Postfix) with SMTP id 9949C3A67DF for ; Mon, 25 May 2009 06:46:39 -0700 (PDT) X-Originating-IP: [23.06.44.5] X-Originating-Email: [dnsext-archive@ietf.org] X-Sender: dnsext-archive@ietf.org To: Subject: RE: DISCOUNT ID12725 78% 0FF on Pfizer ! From: dnsext-archive@ietf.org MIME-Version: 1.0 Importance: High Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <20090525134639.9949C3A67DF@core3.amsl.com> Date: Mon, 25 May 2009 06:46:39 -0700 (PDT) Welcome to WebMD
Welcome to WebMD
 •  Mon, 25 May 2009 04:54:47 +0300
New from WebMD: Sign-up today!

You are subscribed as dnsext-archive@ietf.org.
View and manage your WebMD newsletter preferences.
Subscribe to more newsletters. Change/update your email address.

WebMD Privacy Policy
WebMD Office of Privacy
1175 Peachtree Street, Suite 2400, Atlanta, GA 30361
© 2009 WebMD, LLC. All rights reserved.
From krisrobbo@aerotech.com Tue May 26 04:05:17 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A3D113A7090 for ; Tue, 26 May 2009 04:05:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.924 X-Spam-Level: * X-Spam-Status: No, score=1.924 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_HCC=4.295, HELO_DYNAMIC_IPADDR2=4.395, HELO_EQ_DSL=1.129, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_2=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RDNS_DYNAMIC=0.1, TVD_RCVD_IP=1.931, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zt5RmMKNc0pj for ; Tue, 26 May 2009 04:05:11 -0700 (PDT) Received: from 87-205-152-225.adsl.inetia.pl (87-205-152-225.adsl.inetia.pl [87.205.152.225]) by core3.amsl.com (Postfix) with SMTP id 1D7903A7084 for ; Tue, 26 May 2009 04:05:08 -0700 (PDT) To: Subject: Be he playmate tonight From: Men's Health Daily Dose MIME-Version: 1.0 Content-Type: text/html Message-Id: <20090526110509.1D7903A7084@core3.amsl.com> Date: Tue, 26 May 2009 04:05:08 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From natorq@1homerebate.com Wed May 27 04:17:16 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 939B93A6836 for ; Wed, 27 May 2009 04:17:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.808 X-Spam-Level: X-Spam-Status: No, score=-14.808 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_RELAY_NODNS=1.451, GB_I_LETTER=-2, HELO_MISMATCH_NET=0.611, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, SARE_UNI=0.591, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkZtTGVNIN-L for ; Wed, 27 May 2009 04:17:07 -0700 (PDT) Received: from afo.net (unknown [122.173.193.222]) by core3.amsl.com (Postfix) with SMTP id 420193A6B4D for ; Wed, 27 May 2009 04:17:05 -0700 (PDT) To: dnsext-archive@lists.ietf.org Subject: Newsletter #393412 From: dnsext-archive@lists.ietf.org MIME-Version: 1.0 Importance: High Content-Type: text/html Message-Id: <20090527111706.420193A6B4D@core3.amsl.com> Date: Wed, 27 May 2009 04:17:05 -0700 (PDT)
Tell a friend · Download latest version See this email as a webpage

Hello!

Shipped Privately And Discreetly To Your Door!
See this email as a webpage
  We want to put a great big grin on your face in 2009. You'll be to rejoice all year.  

Unsubscribe · Lost Password · Account Settings · Help · Terms of Service · Privacy

Ottho Heldringstraat 5, 11575 AZ Amsterdam, The Netherlands
From mercern@alply.com Wed May 27 04:35:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBFA13A6FDA for ; Wed, 27 May 2009 04:35:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -13.301 X-Spam-Level: X-Spam-Status: No, score=-13.301 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_2=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TKa5CJqm7Dgg for ; Wed, 27 May 2009 04:35:28 -0700 (PDT) Received: from alexlee.com (unknown [190.48.249.87]) by core3.amsl.com (Postfix) with SMTP id 5BB1C3A6C23 for ; Wed, 27 May 2009 04:35:26 -0700 (PDT) To: Subject: Get an ardor prolonger From: Men's Health Daily Dose MIME-Version: 1.0 Content-Type: text/html Message-Id: <20090527113527.5BB1C3A6C23@core3.amsl.com> Date: Wed, 27 May 2009 04:35:26 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Wed May 27 11:41:18 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 773C43A69D1; Wed, 27 May 2009 11:41:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.554 X-Spam-Level: X-Spam-Status: No, score=-0.554 tagged_above=-999 required=5 tests=[AWL=-1.229, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id muF5wBXScfIV; Wed, 27 May 2009 11:41:17 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B55DB3A6FAB; Wed, 27 May 2009 11:40:52 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M9Nwc-0002AB-Lu for namedroppers-data0@psg.com; Wed, 27 May 2009 18:33:42 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M9NwJ-00026e-Ke for namedroppers@ops.ietf.org; Wed, 27 May 2009 18:33:29 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4RIXK3C005019 for ; Wed, 27 May 2009 14:33:21 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905271833.n4RIXK3C005019@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 27 May 2009 14:33:15 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: [dnsext] DNSEXT to meet at IETF-75/Stockholm Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: The chairs have determined that there is sufficient reason to have the meeting. We have started the process of updating the WG charter to reflect the additions to our work items: - ENDS0-bis - GOST algorithm additions - Forgery Resilience (stay tuned for details) Send in agenda items, so far we have GOST Algorithm document Forgery Resilience work (or not) New charter ENDS0 Option hurdle, go to template like for RR types ? Olafur and Andrew -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From reverberatesihr991@lojack.com Wed May 27 12:51:22 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 257C13A6AC4; Wed, 27 May 2009 12:51:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.437 X-Spam-Level: X-Spam-Status: No, score=-12.437 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DOS_OE_TO_MX=2.75, GB_I_LETTER=-2, HELO_EQ_DSL=1.129, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, MIME_QP_LONG_LINE=1.396, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, SARE_UNI=0.591, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_GREY=0.25, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKqMF+1tgNy3; Wed, 27 May 2009 12:51:21 -0700 (PDT) Received: from dyn7-72-dsl.michonline.net (dyn7-72-dsl.michonline.net [69.41.7.72]) by core3.amsl.com (Postfix) with ESMTP id F38633A69CD; Wed, 27 May 2009 12:50:56 -0700 (PDT) Message-ID: <000d01c9df04$6f4e3770$6400a8c0@reverberatesihr991> From: "Lynne Darnell" To: Subject: We have cheap pills from any problem. Date: Wed, 27 May 2009 15:50:49 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C9DF04.6F4E3770" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C9DF04.6F4E3770 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable =09 =09 =09 =09 =20 =20 =09 =09 =09 About this mailing:=20 You are receiving this e-mail because you subscribed to MSN Featured Offers= Microsoft respects your privacy. If you do not wish to receive this MSN F= eatured Offers e-mail, please click the "Unsubscribe" link below. This will= not unsubscribe=20 you from e-mail communications from third-party advertisers that may appear= in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shal= l not be responsible or liable for the advertisers' content nor any of the = goods or service advertised. Prices and item availability subject to change without notice. 2009 Microsoft | Unsubscribe | More Newsletters | Privacy Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 =20 =20 =20 This message was sent from iContact to aaa-archive@lists.ietf.org. = It was sent from: iContact AutoResponder, 2635 Meridian Pkwy Suite 200, Dur= ham, NC 27713. You can modify/update your subscription via the link below. =20 =20 =20 =20 =20 =20 =20 View this message in the iContact Community= : =20 =20 =20 View message =20 =20 =20 =20 Comment on this message =20 =20 =20 =20 Receive as RSS =20 =20 =20 =20 =09 =09 =09 =09 =09 ------=_NextPart_000_0007_01C9DF04.6F4E3770 Content-Type: text/html; charset="windows-1250" Content-Transfer-Encoding: quoted-printable
3D"Click
About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers= Microsoft respects your privacy. If you do not wish to receive this MSN F= eatured Offers e-mail, please click the "Unsubscribe" link below. This will= not unsubscribe=20 you from e-mail communications from third-party advertisers that may appear= in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shal= l not be responsible or liable for the advertisers' content nor any of the = goods or service advertised. Prices and item availability subject to change without notice.=

2009 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

This message was sent from iContact to = aaa-archive@lists.ietf.org. It was sent from: iContact AutoResponder, 2635 = Meridian Pkwy Suite 200, Durham, NC 27713. You can modify/update your subsc= ription via the link below. 3D"Email

View this message in the iContact Community= : =20 View message =20 Comment on this message =20 Receive as RSS
------=_NextPart_000_0007_01C9DF04.6F4E3770-- From orlando.daugherty@aacpl.net Wed May 27 16:47:46 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 183163A6A31 for ; Wed, 27 May 2009 16:47:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -13.445 X-Spam-Level: X-Spam-Status: No, score=-13.445 tagged_above=-999 required=5 tests=[BAYES_99=3.5, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_2=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcItwT85UiU7 for ; Wed, 27 May 2009 16:47:46 -0700 (PDT) Received: from 189-18-132-56.dsl.telesp.net.br (189-18-132-56.dsl.telesp.net.br [189.18.132.56]) by core3.amsl.com (Postfix) with SMTP id 87D6C3A6D25 for ; Wed, 27 May 2009 16:47:43 -0700 (PDT) To: Subject: Pilulles of lustfulness From: Men's Health Daily Dose MIME-Version: 1.0 Content-Type: text/html Message-Id: <20090527234744.87D6C3A6D25@core3.amsl.com> Date: Wed, 27 May 2009 16:47:43 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From johnhdd@alppilux.fi Thu May 28 02:44:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A9823A6D91 for ; Thu, 28 May 2009 02:44:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.179 X-Spam-Level: X-Spam-Status: No, score=-4.179 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_DYNAMIC_SPLIT_IP=3.493, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, TVD_RCVD_IP=1.931, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPuc8dSunXjZ for ; Thu, 28 May 2009 02:44:07 -0700 (PDT) Received: from 16.146-31-94.telenet.ru (16.146-31-94.telenet.ru [94.31.146.16]) by core3.amsl.com (Postfix) with SMTP id AE2183A6D45 for ; Thu, 28 May 2009 02:44:05 -0700 (PDT) To: Subject: Get an ardor prolonger From: Men's Health Daily Dose MIME-Version: 1.0 Content-Type: text/html Message-Id: <20090528094405.AE2183A6D45@core3.amsl.com> Date: Thu, 28 May 2009 02:44:05 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From liff@amicom.com Thu May 28 13:11:52 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8261F3A6A7D for ; Thu, 28 May 2009 13:11:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.68 X-Spam-Level: X-Spam-Status: No, score=-5.68 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bgt-aXlNeYQl for ; Thu, 28 May 2009 13:11:51 -0700 (PDT) Received: from pc-42-9-239-201.cm.vtr.net (pc-42-9-239-201.cm.vtr.net [201.239.9.42]) by core3.amsl.com (Postfix) with SMTP id 8CF613A6B78 for ; Thu, 28 May 2009 13:11:50 -0700 (PDT) To: " Date: Thu, 28 May 2009 13:11:50 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From owner-namedroppers@ops.ietf.org Fri May 29 01:39:14 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1DE493A68C3; Fri, 29 May 2009 01:39:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.015 X-Spam-Level: X-Spam-Status: No, score=-106.015 tagged_above=-999 required=5 tests=[AWL=0.234, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJCPuC0tgQP9; Fri, 29 May 2009 01:39:13 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 867283A687F; Fri, 29 May 2009 01:39:12 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M9xWI-000ByF-7I for namedroppers-data0@psg.com; Fri, 29 May 2009 08:32:54 +0000 Received: from [2001:660:3003:2::4:11] (helo=mx2.nic.fr) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M9xW6-000BxH-4a for namedroppers@ops.ietf.org; Fri, 29 May 2009 08:32:48 +0000 Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id BA1891C0122 for ; Fri, 29 May 2009 10:32:40 +0200 (CEST) Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx2.nic.fr (Postfix) with ESMTP id AA2641C011B for ; Fri, 29 May 2009 10:32:40 +0200 (CEST) Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay1.nic.fr (Postfix) with ESMTP id A8437A1D925 for ; Fri, 29 May 2009 10:32:40 +0200 (CEST) Date: Fri, 29 May 2009 10:32:40 +0200 From: Stephane Bortzmeyer To: namedroppers@ops.ietf.org Subject: [dnsext] [dotis@mail-abuse.org: Re: DNS over SCTP] Message-ID: <20090529083240.GB3626@nic.fr> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline X-Operating-System: Debian GNU/Linux 5.0.1 X-Kernel: Linux 2.6.26-1-686 i686 Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This is related to the strategic discussions about object security (DNSSEC) vs. improved channel security (cookies, EDNS ping). For once, D. Otis is clear and non-confrontational so I forward his message here. --SUOF0GtieIMvvwua Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Received: from maya.nic.fr [192.134.4.160] by batilda.nic.fr with POP3 (fetchmail-6.3.9-rc2) for (single-drop); Fri, 29 May 2009 02:40:04 +0200 (CEST) Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by maya20.nic.fr (8.12.4/8.12.4) with ESMTP id n4T0bGCc1069697 for ; Fri, 29 May 2009 02:37:16 +0200 (CEST) Received: by relay1.nic.fr (Postfix) id 1A5EAA1D9D1; Fri, 29 May 2009 02:37:16 +0200 (CEST) Delivered-To: bortzmeyer@nic.fr Received: from mx1.nic.fr (mx1.nic.fr [192.134.4.10]) by relay1.nic.fr (Postfix) with ESMTP id 18A66A1D9A5; Fri, 29 May 2009 02:37:16 +0200 (CEST) Received: from mx1.nic.fr (localhost [127.0.0.1]) by mx1.nic.fr (Postfix) with SMTP id 0BA071198001; Fri, 29 May 2009 02:37:16 +0200 (CEST) Received: by mx1.nic.fr (Postfix, from userid 500) id C752C1198002; Fri, 29 May 2009 02:37:15 +0200 (CEST) Received: from mail.ietf.org (mail.ietf.org [IPv6:2001:1890:1112:1::20]) by mx1.nic.fr (Postfix) with ESMTP id 10D281198001; Fri, 29 May 2009 02:37:15 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DAC883A6BA1; Thu, 28 May 2009 17:34:51 -0700 (PDT) X-Original-To: ietf@core3.amsl.com Delivered-To: ietf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 983B43A67C0 for ; Thu, 28 May 2009 17:34:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.331 X-Spam-Level: X-Spam-Status: No, score=-6.331 tagged_above=-999 required=5 tests=[AWL=0.268, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwFeCBgBp-PW for ; Thu, 28 May 2009 17:34:48 -0700 (PDT) Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id A80553A6B78 for ; Thu, 28 May 2009 17:34:48 -0700 (PDT) Received: from [IPv6:::1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 8B77FA9443A; Fri, 29 May 2009 00:36:31 +0000 (UTC) Message-Id: <85FC4673-7256-4372-B4DD-260A3F8AEDA9@mail-abuse.org> Old-From: Douglas Otis To: David Conrad In-Reply-To: <1E0EDA86-CFF5-40AC-AEE8-E943317E1E3C@virtualized.org> Mime-Version: 1.0 (Apple Message framework v935.3) Old-Subject: Re: DNS over SCTP Date: Thu, 28 May 2009 17:36:30 -0700 References: <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com> <6684E747-55CB-4BB3-B838-9F4FE906AFE7@mail-abuse.org> <200905251603.MAA16221@Sparkle.Rodents-Montreal.ORG> <4A1D64C9.5060505@tana.it> <47BC2197-472E-4615-97D2-F7E42B8F3B7D@mail-abuse.org> <4A1E8BD3.8000103@tana.it> <20090528131509.GA13521@nic.fr> <4A1E9CBF.4010703@tana.it> <20090528142325.GA22943@nic.fr> <4A1EB214.6090507@tana.it> <1E0EDA86-CFF5-40AC-AEE8-E943317E1E3C@virtualized.org> X-Mailer: Apple Mail (2.935.3) Cc: ietf@ietf.org, Anti-Spam Research Group - IRTF , Alessandro Vesely X-BeenThere: ietf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: IETF-Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: ietf-bounces@ietf.org Errors-To: ietf-bounces@ietf.org X-PMX-Version: 5.4.6.353000, Antispam-Engine: 2.6.1.350677, Antispam-Data: 2009.5.29.2834 X-PerlMx-Spam: Gauge=IIIIIII, Probability=8%, Report='BODY_SIZE_4000_4999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, __BOUNCE_CHALLENGE_SUBJ 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_LIST_HEADER 0, __HAS_LIST_HELP 0, __HAS_LIST_SUBSCRIBE 0, __HAS_LIST_UNSUBSCRIBE 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MSGID_APPLEMAIL 0, __SANE_MSGID 0, __TO_MALFORMED_2 0' X-UIDL: 724166d413eca71abe979ad660960fb3 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000003, version=1.1.7 Subject: Re: DNS over SCTP From: Douglas Otis Received-SPF: on batilda: SPF-pass localhost is always allowed. spfquery: localhost is always allowed. Received-SPF: pass (spfquery: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=; helo=mx1.nic.fr; On May 28, 2009, at 9:45 AM, David Conrad wrote: > On May 28, 2009, at 5:47 AM, Alessandro Vesely wrote: >> I don't trust the data because it is signed, I trust it because the >> signature proves that it originated from the authoritative server. > > Not quite. The signature over the data proves that the holder of > the private key has signed the data. The origin of that data then > becomes irrelevant. This discussion started by describing how an authorization protocol might utilize macros embedded within a DNS cache to stage relatively free DDoS attacks, all of which would be made worse by DNSSEC. Preventing DNS poisoning was also a concern expressed, which is likely to go hand in hand with the DNS enabled attack. Since DNS is normally connectionless, security solutions like SSL have been dismissed. While DNSSEC may protect against data corruption, such protection depends upon the thorny problem of verifying a key will be solved in a practical and politically acceptable manner. This protection also requires authoritative servers to rapidly adopt DNSSEC without also confronting other insurmountable deployment issues. Fool me once, shame on you. Fool me twice... >> Therefore, if I'm connected with the authoritative server over a >> trusted channel, I can trust the data even if it isn't signed. > > Not really. You are relying on the fact that the authoritative > server and (potentially) the channels it uses to communicate to the > originator of the data have not been compromised. Assume SCTP becomes generally available as a preferred transport for DNS. If so, an ability to corrupt DNS information would be greatly reduced, whether data is signed or not. In addition, SCTP can safely carry larger signed results without the DDoS concerns that will exist for either TCP or EDNS0 over UDP. Deploying DNS on SCTP should be possible in parallel with the DNSSEC effort. >> By induction, if a resolver only uses either signed data or trusted >> channels, I can trust it. > > A trusted channel is superfluous when the data is signed. Receiving signed data represents just a fraction of the challenges facing DNSSEC. :^( >> The limitations in TCP or SCTP security stem from an attacker's >> ability to compromise one or more routers, so as to either tamper >> with the packets on the fly, or redirect them to some other host. >> That's much more difficult than forging the source address of an >> UDP packet, though. > > True, but object security removes even the residual risk of channel > compromise (e.g., a compromised router). > > However, pragmatically speaking, I suspect it is going to be much, > much easier to get DNSSEC deployed than it would be to get every > router/firewall/NAT manufacturer and network operator to support/ > deploy SCTP, not to mention getting every DNSSEC server to support > DNS over SCTP. While TCP represents a possible fall-back method whenever UDP overflows, TCP is not assured. Instead of seldom, low prevalence might better describe TCP use in DNS. In addition, DNS servers prefer UDP over TCP when resources become scarce. TCP produces greater latency, requires more back and forth exchanges, and strands resources whenever confronting spoofed connection attempts. While EDNS0 allows UDP to carry larger signed packets, this also increases UDP's exposure to increased reflected attacks that leverage the brute strength of DNS. On the other hand, SCTP reserves resources until a request is confirmed by a returned cookie, which also allows data to be exchanged sooner than would be possible with TCP. Unlike TCP, SCTP carries chunks over multiple streams rather than non-delineated bytes over a single stream. SCTP connections consume minimal resources and can sustain longer sparse associations. SCTP also tunnels over UDP to provide compatibility with legacy NATs and firewalls. SCTP might soon become popular with browsers due to its inherent improvements on security and performance over TCP. A solid SCTP stack is now available in FreeBSD that has corporate friendly source licenses. :^) If there is one lesson that should have been learned from the DNSSEC effort, resolving DNS problems will require dedicated long term planning. Within the same timeframe as DNSSEC, SCTP has been able to provide reliable and safe transport. You might be using SCTP whenever you make a phone call or watch your TV. It seems that the telephone, more than the Internet, is what people expect to just work. -Doug _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf --SUOF0GtieIMvvwua-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 03:54:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78F8B3A6774; Fri, 29 May 2009 03:54:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.474 X-Spam-Level: X-Spam-Status: No, score=-0.474 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WoHDxkwOimQb; Fri, 29 May 2009 03:54:27 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 78B783A6A59; Fri, 29 May 2009 03:54:27 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M9zfr-000N68-4h for namedroppers-data0@psg.com; Fri, 29 May 2009 10:50:55 +0000 Received: from [209.85.219.173] (helo=mail-ew0-f173.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M9zfd-000N4s-V3 for namedroppers@ops.ietf.org; Fri, 29 May 2009 10:50:49 +0000 Received: by ewy21 with SMTP id 21so6221299ewy.41 for ; Fri, 29 May 2009 03:50:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=jDKNbpIQOIdSVcX2aZYt3TvbIYex3RimIexhypFdRe8=; b=TRZjWV4YyIN9MgteCDRyJHFBcqAJHNecwH+JUsxB4Lmj8Jv8fYqPgKdhGmW8yiX7cD 1Oj5pyJLOABBarGdH8Jr7N8sVsS2zBYgYRHIkciDNi8xMBoVgnrDFfiSwyMAvX4SbGEy x29sadpVr3s6aTBx9jTCQUypciVnQ0blBHrfE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=GPnZADxE8Qd5wc77R+lUglVtqU5jPUu41NMRqRb2R8gbxl7jklgYb4dzb6bJhGpoNu jYV2D82r4sZ1+OhXDt1cSIrE6VJzdJwlOhNMYjFF/nGbvvlw4b8qLjWWPFE25m8Eo7X8 4dlqCXxdERudvS/rtLerRdk+uk7+J0D7HjW4U= MIME-Version: 1.0 Received: by 10.210.87.14 with SMTP id k14mr1934450ebb.45.1243594240272; Fri, 29 May 2009 03:50:40 -0700 (PDT) In-Reply-To: <20090529083240.GB3626@nic.fr> References: <20090529083240.GB3626@nic.fr> From: bert hubert Date: Fri, 29 May 2009 12:50:20 +0200 Message-ID: <3efd34cc0905290350y35590f74if4d602e252caaa4b@mail.gmail.com> Subject: Re: [dnsext] [dotis@mail-abuse.org: Re: DNS over SCTP] To: Stephane Bortzmeyer Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, May 29, 2009 at 10:32 AM, Stephane Bortzmeyer wrote: > This is related to the strategic discussions about object security > (DNSSEC) vs. improved channel security (cookies, EDNS ping). For once, > D. Otis is clear and non-confrontational so I forward his message > here. This has been discussed as far back as 2004, and no serious problems with this idea have every been raised (as far as I can recall), except for the very sparse deployment of SCTP, plus the likelihood of many firewalls blocking this traffic. The interesting thing is that DNS over SCTP with an authoritative server for a resolver currently has only three clear operational states: 1) no response (timeout) 2) error (icmp generated, or the equivalent of connection refused) 3) works There is unlikely to be a lot in between. This makes fallback rather easy and unambiguous. DCCP has also been raised as a transport mechanism. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 07:43:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6C5C93A6B20; Fri, 29 May 2009 07:43:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.562 X-Spam-Level: X-Spam-Status: No, score=-2.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8+p7ch5S59d; Fri, 29 May 2009 07:43:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9D9B53A6A8E; Fri, 29 May 2009 07:43:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA3Dn-000HjM-Ut for namedroppers-data0@psg.com; Fri, 29 May 2009 14:38:11 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA3Dc-000HiV-NL for namedroppers@ops.ietf.org; Fri, 29 May 2009 14:38:06 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n4TEbvus041648; Fri, 29 May 2009 16:37:57 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905291437.n4TEbvus041648@givry.fdupont.fr> From: Francis Dupont To: bert hubert cc: Stephane Bortzmeyer , namedroppers@ops.ietf.org Subject: Re: [dnsext] [dotis@mail-abuse.org: Re: DNS over SCTP] In-reply-to: Your message of Fri, 29 May 2009 12:50:20 +0200. <3efd34cc0905290350y35590f74if4d602e252caaa4b@mail.gmail.com> Date: Fri, 29 May 2009 16:37:57 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: DCCP has also been raised as a transport mechanism. => and very far before RFC 955 section 3... Francis.Dupont@fdupont.fr -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 08:04:34 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A6D383A6870; Fri, 29 May 2009 08:04:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.425 X-Spam-Level: X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6m62HAHxsRo; Fri, 29 May 2009 08:04:34 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DB01E3A6B23; Fri, 29 May 2009 08:04:33 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA3Zj-000JhK-Mm for namedroppers-data0@psg.com; Fri, 29 May 2009 15:00:51 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA3ZL-000Jey-HD for namedroppers@ops.ietf.org; Fri, 29 May 2009 15:00:35 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 019E9A3B48; Fri, 29 May 2009 15:00:26 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Stephane Bortzmeyer cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] [dotis@mail-abuse.org: Re: DNS over SCTP] In-Reply-To: Your message of "Fri, 29 May 2009 10:32:40 +0200." <20090529083240.GB3626@nic.fr> References: <20090529083240.GB3626@nic.fr> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Fri, 29 May 2009 15:00:26 +0000 Message-ID: <90658.1243609226@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: sctp won't stop "provider in the middle" attacks and so, while i agree that it ought to be added as a DNS transport (solving certain problems UDP and TCP each have) i don't consider it relevant to the DNSSEC problem space. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 08:14:47 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F6283A6A5D; Fri, 29 May 2009 08:14:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.43 X-Spam-Level: X-Spam-Status: No, score=-2.43 tagged_above=-999 required=5 tests=[AWL=0.169, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJKVWWQZZ9yv; Fri, 29 May 2009 08:14:46 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6C62B3A6A8C; Fri, 29 May 2009 08:14:46 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA3jx-000Keu-5D for namedroppers-data0@psg.com; Fri, 29 May 2009 15:11:25 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA3jl-000Kdj-MS for namedroppers@ops.ietf.org; Fri, 29 May 2009 15:11:19 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 6205FA3B4D for ; Fri, 29 May 2009 15:11:13 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: namedroppers@ops.ietf.org Subject: Re: [dnsext] [dotis@mail-abuse.org: Re: DNS over SCTP] In-Reply-To: Your message of "Fri, 29 May 2009 12:50:20 +0200." <3efd34cc0905290350y35590f74if4d602e252caaa4b@mail.gmail.com> References: <20090529083240.GB3626@nic.fr> <3efd34cc0905290350y35590f74if4d602e252caaa4b@mail.gmail.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Fri, 29 May 2009 15:11:13 +0000 Message-ID: <91157.1243609873@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: bert hubert > Date: Fri, 29 May 2009 12:50:20 +0200 > > This has been discussed as far back as 2004, and no serious problems > with this idea have every been raised (as far as I can recall), except > for the very sparse deployment of SCTP, plus the likelihood of many > firewalls blocking this traffic. for interested readers, the most recent thread on this begins at: http://www.ops.ietf.org/lists/namedroppers/namedroppers.2008/msg01454.html (noting that doug otis was also very much present in that discussion.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 09:00:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46FA23A6C68; Fri, 29 May 2009 09:00:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.981 X-Spam-Level: X-Spam-Status: No, score=-0.981 tagged_above=-999 required=5 tests=[AWL=-0.786, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z53Cc-FLdBvJ; Fri, 29 May 2009 09:00:35 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 044A53A6D09; Fri, 29 May 2009 09:00:35 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA4SM-000P4v-4w for namedroppers-data0@psg.com; Fri, 29 May 2009 15:57:18 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA4SA-000P47-Sl for namedroppers@ops.ietf.org; Fri, 29 May 2009 15:57:12 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4TFv4ek030806 for ; Fri, 29 May 2009 11:57:04 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905291557.n4TFv4ek030806@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 29 May 2009 11:56:59 -0400 To: namedroppers@ops.ietf.org From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: [dnsext] Draft DNSEXT charter Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_88138186==_" X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: --=====================_88138186==_ Content-Type: text/plain; charset="us-ascii"; format=flowed Dear colleagues, Attached is our first draft of an updated charter that allows us to add the items pending adoption. (GOST DNSSEC algorithms, Forgery Resilience) Instead of having to re charter every time a new draft is deemed worthy of the working groups effort we have created narrow categories that allow us to perform "protocol maintenance" as needed. Milestones are preliminary and will be updated based on WG discussion. Comments please, Olafur & Andrew ----- DNSEXT draft charter v20090527 ------- The DNS has a large installed base and repertoire of protocol specifications. The DNSEXT WG group will actively advance DNS protocol-related RFCs on the standards track while thoroughly reviewing further proposed extensions. The scope of the DNSEXT WG is confined to the DNS protocol, particularly changes that affect DNS protocols "on the wire" or the internal processing of DNS data. DNS operations are out of scope for the WG. The WG will limit itself to review of proposals for new extensions and clarification to the DNS protocol, including DNSSEC. Adoption of new work targeted for standards track will require changes to this charter. The working group can nevertheless undertake work in following subjects without a charter change: DNSSEC and TSIG/TKEY algorithm maintenance, Hardening DNS protocol against forgery attempts, Advancing existing Proposed standard RFC's to Draft/Full standard Obsoleting RFC's. Before formal adoption of any such items at least 5 working group participants must publicly state that the items is within charter and is worthwhile item for further study. The DNSEXT WG will conduct the specified RFC5395 review of RR templates as they are posted, and ENDS0 Option templates if ENDS0-bis updates registration requirements. The WG does not intend to hold face to face meetings, though may do so if deemed necessary for resolution of a specific issue at hand. Milestones: Jun 2009 TSIG/MD5 Obsoleting to IESG. Jul 2009 AXFR Clarify to IESG Sep 2009 EDNS0 Ping Option advanced to IESG Oct 2009 Resolver side Forgery Resilience advanced to IESG Oct 2009 DNSSEC Errata document to IESG Nov 2009 GOST DNSKEY and DS support advanced to IESG Dec 2009 ENDS0-bis update advanced to IESG --=====================_88138186==_ Content-Type: text/plain; name="charter-20090527.txt"; x-mac-type="42494E41"; x-mac-creator="74747874" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="charter-20090527.txt" CgpUaGUgRE5TIGhhcyBhIGxhcmdlIGluc3RhbGxlZCBiYXNlIGFuZCByZXBlcnRvaXJlIG9mIHBy b3RvY29sCnNwZWNpZmljYXRpb25zLiBUaGUgRE5TRVhUIFdHIGdyb3VwIHdpbGwgYWN0aXZlbHkg YWR2YW5jZSBETlMKcHJvdG9jb2wtcmVsYXRlZCBSRkNzIG9uIHRoZSBzdGFuZGFyZHMgdHJhY2sg d2hpbGUgdGhvcm91Z2hseQpyZXZpZXdpbmcgZnVydGhlciBwcm9wb3NlZCBleHRlbnNpb25zLiBU aGUgc2NvcGUgb2YgdGhlIEROU0VYVCBXRyBpcwpjb25maW5lZCB0byB0aGUgRE5TIHByb3RvY29s LCBwYXJ0aWN1bGFybHkgY2hhbmdlcyB0aGF0IGFmZmVjdCBETlMKcHJvdG9jb2xzICJvbiB0aGUg d2lyZSIgb3IgdGhlIGludGVybmFsIHByb2Nlc3Npbmcgb2YgRE5TIGRhdGEuIEROUwpvcGVyYXRp b25zIGFyZSBvdXQgb2Ygc2NvcGUgZm9yIHRoZSBXRy4KClRoZSBXRyB3aWxsIGxpbWl0IGl0c2Vs ZiB0byByZXZpZXcgb2YgcHJvcG9zYWxzIGZvciBuZXcgZXh0ZW5zaW9ucwphbmQgY2xhcmlmaWNh dGlvbiB0byB0aGUgRE5TIHByb3RvY29sLCBpbmNsdWRpbmcgRE5TU0VDLiBBZG9wdGlvbiBvZgpu ZXcgd29yayB0YXJnZXRlZCBmb3Igc3RhbmRhcmRzIHRyYWNrIHdpbGwgcmVxdWlyZSBjaGFuZ2Vz IHRvIHRoaXMKY2hhcnRlci4KClRoZSB3b3JraW5nIGdyb3VwIGNhbiBuZXZlcnRoZWxlc3MgdW5k ZXJ0YWtlIHdvcmsgaW4gZm9sbG93aW5nCnN1YmplY3RzIHdpdGhvdXQgYSBjaGFydGVyIGNoYW5n ZToKCUROU1NFQyBhbmQgVFNJRy9US0VZIGFsZ29yaXRobSBtYWludGVuYW5jZSwKCUhhcmRlbmlu ZyBETlMgcHJvdG9jb2wgYWdhaW5zdCBmb3JnZXJ5IGF0dGVtcHRzLAoJQWR2YW5jaW5nIGV4aXN0 aW5nIFByb3Bvc2VkIHN0YW5kYXJkIFJGQydzIHRvIERyYWZ0L0Z1bGwgc3RhbmRhcmQKCU9ic29s ZXRpbmcgUkZDJ3MuCgpCZWZvcmUgZm9ybWFsIGFkb3B0aW9uIG9mIGFueSBzdWNoIGl0ZW1zIGF0 IGxlYXN0IDUgd29ya2luZyBncm91cApwYXJ0aWNpcGFudHMgbXVzdCBwdWJsaWNseSBzdGF0ZSB0 aGF0IHRoZSBpdGVtcyBpcyB3aXRoaW4gY2hhcnRlciBhbmQgaXMKd29ydGh3aGlsZSBpdGVtIGZv ciBmdXJ0aGVyIHN0dWR5LgoKVGhlIEROU0VYVCBXRyB3aWxsIGNvbmR1Y3QgdGhlIHNwZWNpZmll ZCBSRkM1Mzk1IHJldmlldyBvZiBSUgp0ZW1wbGF0ZXMgYXMgdGhleSBhcmUgcG9zdGVkLCBhbmQg RU5EUzAgT3B0aW9uIHRlbXBsYXRlcyBpZiBFTkRTMC1iaXMKdXBkYXRlcyByZWdpc3RyYXRpb24g cmVxdWlyZW1lbnRzLgoKVGhlIFdHIGRvZXMgbm90IGludGVuZCB0byBob2xkIGZhY2UgdG8gZmFj ZSBtZWV0aW5ncywgdGhvdWdoCm1heSBkbyBzbyBpZiBkZWVtZWQgbmVjZXNzYXJ5IGZvciByZXNv bHV0aW9uIG9mIGEgc3BlY2lmaWMgaXNzdWUgYXQKaGFuZC4KCgpNaWxlc3RvbmVzOgpKdW4gIDIw MDkgIFRTSUcvTUQ1IE9ic29sZXRpbmcgdG8gSUVTRy4gCkp1bCAgMjAwOSAgQVhGUiBDbGFyaWZ5 ICB0byBJRVNHClNlcCAgMjAwOSAgRUROUzAgUGluZyBPcHRpb24gYWR2YW5jZWQgdG8gSUVTRyAK T2N0ICAyMDA5ICBSZXNvbHZlciBzaWRlIEZvcmdlcnkgUmVzaWxpZW5jZSBhZHZhbmNlZCB0byBJ RVNHCk9jdCAgMjAwOSAgRE5TU0VDIEVycmF0YSBkb2N1bWVudCB0byBJRVNHIApOb3YgIDIwMDkg IEdPU1QgRE5TS0VZIGFuZCBEUyBzdXBwb3J0IGFkdmFuY2VkIHRvIElFU0cKRGVjICAyMDA5ICBF TkRTMC1iaXMgdXBkYXRlIGFkdmFuY2VkIHRvIElFU0cgCgoK --=====================_88138186==_-- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 11:18:56 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 22A163A6C75; Fri, 29 May 2009 11:18:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.289 X-Spam-Level: X-Spam-Status: No, score=-4.289 tagged_above=-999 required=5 tests=[AWL=-1.290, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5c4hviG9hmLd; Fri, 29 May 2009 11:18:55 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E38C13A6944; Fri, 29 May 2009 11:18:54 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA6aq-000AxC-5b for namedroppers-data0@psg.com; Fri, 29 May 2009 18:14:12 +0000 Received: from [213.248.199.24] (helo=mx4.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA6ad-000Aw5-LY; Fri, 29 May 2009 18:14:06 +0000 DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Cc: Subject:MIME-Version:X-Mailer:Message-ID:From:Date: X-MIMETrack:Content-Type; b=xYwYbB4U+zpuJuohkB5mRr7FNtQVakHW/F+hD2ouJyv+86zFKbel29dF L/7H61zmKkS2z7rvdahek+lPO4mEMzDgBXvq0pRji5Max5z6UMbvWaw9q NgtePOsGLHirmcE; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=Ray.Bellis@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1243620839; x=1275156839; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Ray.Bellis@nominet.org.uk|Subject:=20Re:=20[dnse xt]=20Draft=20DNSEXT=20charter|Date:=20Fri,=2029=20May=20 2009=2019:13:57=20+0100|Message-ID:=20 |To:=20=3D?ISO-8859-1?Q?=3DD3lafur_Gu=3DF0mundsson_=3D2FD NSEXT_chair?=3D=20|Cc:=20namedroppers@ops. ietf.org,=0D=0A=09owner-namedroppers@ops.ietf.org |MIME-Version:=201.0|In-Reply-To:=20<200905291557.n4TFv4e k030806@stora.ogud.com>|References:=20<200905291557.n4TFv 4ek030806@stora.ogud.com>; bh=p6iqrppSNi92BvMsJWf1Ty6IeYJOpTiy7dQ9yaC4Jpw=; b=KYwz39ouXrT2Vlgsa8doOWfO0SzipupRf2hd/9e22VEpj0XOsOQ58xo7 EIZSVr6PNUq1pd/CtiFifQVrPD2fOCXn2lRK8Fo74qBF9k31J5QROnbLe FgojjSeLpNlsOLq; X-IronPort-AV: E=Sophos;i="4.41,272,1241391600"; d="scan'208";a="10424331" Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx4.nominet.org.uk with ESMTP; 29 May 2009 19:13:57 +0100 In-Reply-To: <200905291557.n4TFv4ek030806@stora.ogud.com> References: <200905291557.n4TFv4ek030806@stora.ogud.com> To: =?ISO-8859-1?Q?=D3lafur_Gu=F0mundsson_=2FDNSEXT_chair?= Cc: namedroppers@ops.ietf.org, owner-namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter MIME-Version: 1.0 X-Mailer: Lotus Notes Release 8.5 December 05, 2008 Message-ID: From: Ray.Bellis@nominet.org.uk Date: Fri, 29 May 2009 19:13:57 +0100 X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 29/05/2009 07:13:56 PM, Serialize complete at 29/05/2009 07:13:56 PM Content-Type: text/plain; charset="US-ASCII" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Attached is our first draft of an updated charter that allows us > to add the items pending adoption. (GOST DNSSEC algorithms, Forgery > Resilience) > > Instead of having to re charter every time a new draft is deemed worthy of > the working groups effort we have created narrow categories > that allow us to perform "protocol maintenance" as needed. > > Milestones are preliminary and will be updated based on WG discussion. > > Comments please, I would like to see the charter allow for work items that advise on correct _implementation_ (as opposed to _operation_) of the DNS protocols, such as my DNS Proxy BCP draft. I'm unable to find a suitable place to drop this into the current text, though. Ray -- Ray Bellis, MA(Oxon) MIET Senior Researcher in Advanced Projects, Nominet e: ray@nominet.org.uk, t: +44 1865 332211 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 13:48:58 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC50C3A6FE0; Fri, 29 May 2009 13:48:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.689 X-Spam-Level: X-Spam-Status: No, score=-0.689 tagged_above=-999 required=5 tests=[AWL=-0.194, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wo13ulGuhSrs; Fri, 29 May 2009 13:48:58 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id ECA903A6FDB; Fri, 29 May 2009 13:48:57 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA8wd-000NVJ-Sz for namedroppers-data0@psg.com; Fri, 29 May 2009 20:44:51 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA8wS-000NUD-Ra for namedroppers@ops.ietf.org; Fri, 29 May 2009 20:44:46 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4TKicYe034449 for ; Fri, 29 May 2009 16:44:38 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4TKic0I034448 for namedroppers@ops.ietf.org; Fri, 29 May 2009 16:44:38 -0400 (EDT) (envelope-from namedroppers) Received: from [212.9.189.167] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7Coi-000NWV-Tg for namedroppers@ops.ietf.org; Thu, 21 May 2009 18:16:39 +0000 Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1M7Coc-0004NX-0L; Thu, 21 May 2009 20:16:26 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1M7Cob-00032P-Eg; Thu, 21 May 2009 20:16:25 +0200 From: Florian Weimer To: "George Barwood" Cc: "David Conrad" , "bert hubert" , , Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <6EBA360D-0A11-43F6-B533-3CC2C86A997B@virtualized.org> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> Date: Thu, 21 May 2009 20:16:25 +0200 In-Reply-To: <0BDB10F120AF4CB0A7B68B5E054FD886@localhost> (George Barwood's message of "Wed, 20 May 2009 23:17:35 +0100") Message-ID: <87octmmidi.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] * George Barwood: > Seriously, wasn't the purpose of RFC 3225 to allow deployment, as > per the abstract : > > "In order to deploy DNSSEC (Domain Name System Security Extensions) > operationally, DNSSEC aware servers should only perform automatic > inclusion of DNSSEC RRs when there is an explicit indication that the > resolver can understand those RRs." > > I don't see how ANY can be taken as an explicit indiciation that the > resolver understands DNSSEC RRs, that's clearly not the case, so > there is inconsistency. Records at the QNAME of a query with QTYPE ANY are not DNSSEC records in the sense of RFC 3225. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 13:49:53 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E2C43A6FE0; Fri, 29 May 2009 13:49:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.142 X-Spam-Level: X-Spam-Status: No, score=-0.142 tagged_above=-999 required=5 tests=[AWL=-0.269, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+O8p-ZdUkC3; Fri, 29 May 2009 13:49:52 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EF2803A6FDB; Fri, 29 May 2009 13:49:51 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA8wy-000NX0-FX for namedroppers-data0@psg.com; Fri, 29 May 2009 20:45:12 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MA8wn-000NW1-AZ for namedroppers@ops.ietf.org; Fri, 29 May 2009 20:45:07 +0000 Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4TKixMZ034460 for ; Fri, 29 May 2009 16:44:59 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com) Received: (from namedroppers@localhost) by stora.ogud.com (8.14.3/8.14.3/Submit) id n4TKixmf034459 for namedroppers@ops.ietf.org; Fri, 29 May 2009 16:44:59 -0400 (EDT) (envelope-from namedroppers) Received: from [209.85.219.221] (helo=mail-ew0-f221.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1M7DZU-0004T7-VZ for namedroppers@ops.ietf.org; Thu, 21 May 2009 19:04:59 +0000 Received: by ewy21 with SMTP id 21so1457479ewy.41 for ; Thu, 21 May 2009 12:04:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=am9Fou0RYoEuyPJ2LnYCS4EcwvlaLL18sjL/zXyL5Jc=; b=vGTgYBDYCKh5RsaOV/Fs0uh0b4anNhd7JAXu/X6AWQezru0DOTZX8VHzyVk/8RX1pr 2nRWNg5EYfFrmzw1Ct8BjYSr26mY1uioNDjAJXcFqwQVO9mw8IxqXRY15dl2qdOrUPhR 4YNxNGUajxte5w4SD6wxnTBQYNHdw4eIf9GsE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=Xne2a3t03Vu30gzV/A2zchY8vREhY/oMmU+ZWvl/YbhrR7OQgU9j8RKZ9Ie39SeZUC /fUhJ51pvO1QLJ8gW4OykyyaecoAeYYmiZBpYfNCg5L78Xl6yQkVyYCpxknam7Q4HhI/ px3hbf4hr5vswThgdCdBTc3TVW0jfP0Wf4vxQ= MIME-Version: 1.0 Received: by 10.210.109.10 with SMTP id h10mr1041917ebc.24.1242932690141; Thu, 21 May 2009 12:04:50 -0700 (PDT) In-Reply-To: References: <47EB15AA554A43A9B02FE19A439D3BDC@localhost> <20090520101849.GA13291@vacation.karoshi.com.> <753F12D35D914DC3985628D6B42F8259@localhost> <5A852E12-72E5-4941-9136-4CA7578BAFEF@virtualized.org> <3efd34cc0905201215m5be4da30g4661809f19630ce3@mail.gmail.com> <741EF571-1B43-4945-913C-9D539865A003@virtualized.org> <3efd34cc0905210349v57e160b4yf57d755d04f2c286@mail.gmail.com> <3efd34cc0905211048y793a4958m2316ad3172616051@mail.gmail.com> From: bert hubert Date: Thu, 21 May 2009 21:04:30 +0200 X-Google-Sender-Auth: b00228fb38793ad8 Message-ID: <3efd34cc0905211204v788f6483m9e0d8cc9d3800539@mail.gmail.com> Subject: Re: [dnsext] Question on RFC 3225 - DO Bit and ANY To: Edward Lewis Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: [ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] On Thu, May 21, 2009 at 8:08 PM, Edward Lewis wrote: > I don't get what the $7 figure means to the discussion. It means that a rational organization will weigh the impact of even a 1% degradation of service very heavily if it means having to deal with all the people impacted by that 1%. Ask someone over at a large access provider about how they feel about doing any change that might cause 1% of their customers to contact them. As an example, over at a large access provider I once changed the rounding algorithm used to determine if a mail user was over quota, which in turn overwhelmed the helpdesk until we changed back the rounding algorithm so it would round down again. Life as seen from a registry or a registrar might very well be very different - I haven't worked at one. >> I just measured, I consistently see 200 times fewer ANY queries than >> MX queries on a large auth server. Many of these ANY queries indeed >> appear to be email related. >> >> So the upper limit of 'huge ANY answer'-problems appears to be 'one in >> 200 mail lookups'. > > I don't see a point to this observation, nor any supporting documentation > for that matter. The point is that I measured that there are indeed some ANY queries occurring, but that that they are dwarfed by the amount of MX queries. This is relevant to the preceding discussion. It also actually supports the point that returning all records on a DO=0 query, including the DNSSEC ones, is unlikely to trip over many email related lookups. It is sad that doing relevant measurements now elicits a response declaiming the lack of supporting documentation or 'point'. Bert -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Fri May 29 16:17:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B23563A6801; Fri, 29 May 2009 16:17:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.668 X-Spam-Level: X-Spam-Status: No, score=-4.668 tagged_above=-999 required=5 tests=[AWL=-0.173, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33uhfrkrSnCR; Fri, 29 May 2009 16:17:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AB0AF3A6802; Fri, 29 May 2009 16:17:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MABGT-00080w-I5 for namedroppers-data0@psg.com; Fri, 29 May 2009 23:13:29 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MABGH-00080M-Oe; Fri, 29 May 2009 23:13:23 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4TNBnv3013099; Fri, 29 May 2009 23:11:49 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4TNBkxJ013097; Fri, 29 May 2009 23:11:46 GMT Date: Fri, 29 May 2009 23:11:46 +0000 From: bmanning@vacation.karoshi.com To: Ray.Bellis@nominet.org.uk Cc: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= /DNSEXT chair , namedroppers@ops.ietf.org, owner-namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter Message-ID: <20090529231146.GA13071@vacation.karoshi.com.> References: <200905291557.n4TFv4ek030806@stora.ogud.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, May 29, 2009 at 07:13:57PM +0100, Ray.Bellis@nominet.org.uk wrote: > > Attached is our first draft of an updated charter that allows us > > to add the items pending adoption. (GOST DNSSEC algorithms, Forgery > > Resilience) > > > > Instead of having to re charter every time a new draft is deemed worthy > of > > the working groups effort we have created narrow categories > > that allow us to perform "protocol maintenance" as needed. > > > > Milestones are preliminary and will be updated based on WG discussion. > > > > Comments please, > > I would like to see the charter allow for work items that advise on > correct _implementation_ (as opposed to _operation_) of the DNS protocols, > such as my DNS Proxy BCP draft. > > I'm unable to find a suitable place to drop this into the current text, > though. > > Ray > Ray steps on a very slippry slope here. Clearly the intent is good, but there is the problem of ensuring a correct specification on which to measure an implementation. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From auditiont@pcl.com Fri May 29 16:41:28 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEC9E3A6C33; Fri, 29 May 2009 16:41:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -58.73 X-Spam-Level: X-Spam-Status: No, score=-58.73 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HS_INDEX_PARAM=0.001, HTML_FONT_SIZE_HUGE=0.057, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9lS7FHGbUul; Fri, 29 May 2009 16:41:28 -0700 (PDT) Received: from pc-67-197-164-190.cm.vtr.net (pc-67-197-164-190.cm.vtr.net [190.164.197.67]) by core3.amsl.com (Postfix) with ESMTP id 2224A3A69C9; Fri, 29 May 2009 16:41:26 -0700 (PDT) Received: from 190.164.197.67 by focsvr03.pcl.com; Sat, 30 May 2009 01:43:08 +0100 Date: Sat, 30 May 2009 01:43:08 +0100 From: crisp-request@ietf.org X-Mailer: The Bat! (v3.0.0.15) Professional X-Priority: 3 (Normal) Message-ID: <928661336.55669656344392@pcl.com> To: crisp-request@ietf.org Subject: Acai Super Berry Capsules, you will love your new body. MIME-Version: 1.0 Content-Type: text/html; charset=Windows-1252 Content-Transfer-Encoding: 7bit
If you have trouble viewing this e-mail, please click here.

Everyone
Will Want
Your New Secret

ACAI POWER SLIM

Discover the secret today!
Click here for details

To review our Privacy Policy, please click here.

To ensure the delivery of your informative updates from Dr. Lark and the Daily Balance
Team, please add crisp-request@ietf.org to your email address book.

************TO UNSUBSCRIBE************
You are receiving this e-mail at crisp-request@ietf.org because you
indicated an interest in receiving special updates and offers from Dr. Lark.
We hope that you find these updates helpful, but if you would rather not
receive them, you can unsubscribe by clicking here. You will be
immediately unsubscribed from our database. Remember, your personal information
will only be used by Healthy Directions, LLC, for editorial and marketing purposes.
Thank you.

Daily Balance
547 Indian Springs Drive
Lancaster, PA 45234

From owner-namedroppers@ops.ietf.org Fri May 29 18:31:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C2423A69C9; Fri, 29 May 2009 18:31:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.4 X-Spam-Level: X-Spam-Status: No, score=0.4 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QRKoBhEPFr3S; Fri, 29 May 2009 18:31:38 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 277133A6858; Fri, 29 May 2009 18:31:37 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MADI3-000GvT-SB for namedroppers-data0@psg.com; Sat, 30 May 2009 01:23:15 +0000 Received: from [208.86.224.201] (helo=mail.yitter.info) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MADHs-000Gu3-2B for namedroppers@ops.ietf.org; Sat, 30 May 2009 01:23:09 +0000 Received: from crankycanuck.ca (3.e54f41.client.atlantech.net [65.79.229.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 3DB272FE9633 for ; Sat, 30 May 2009 01:23:00 +0000 (UTC) Date: Fri, 29 May 2009 21:22:58 -0400 From: Andrew Sullivan To: namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter Message-ID: <20090530012258.GA13757@shinkuro.com> References: <200905291557.n4TFv4ek030806@stora.ogud.com> <20090529231146.GA13071@vacation.karoshi.com.> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090529231146.GA13071@vacation.karoshi.com.> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, May 29, 2009 at 11:11:46PM +0000, bmanning@vacation.karoshi.com wrote: > On Fri, May 29, 2009 at 07:13:57PM +0100, Ray.Bellis@nominet.org.uk wrote: > > I would like to see the charter allow for work items that advise on > > correct _implementation_ (as opposed to _operation_) of the DNS protocols, > > such as my DNS Proxy BCP draft. > Ray steps on a very slippry slope here. Clearly the intent > is good, but there is the problem of ensuring a correct specification > on which to measure an implementation. Is there something about the correctness of implementation that is different from "clarifications" to the protocol? Under the principle of charity, one could easily assume that any case where an implementer has deviated from the published specifications is attributable to some lack of clarity on the part of those standards. Under a broad meaning of "clarification", for instance, we could understand the dnsproxy draft as clarifying the implications of the protocol in respect of certain other systems or protocols. It's strictly a focus on the protocol's implications, and trying to make clear exactly the protocol's meaning. Thoughts? A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From plundererrg6@riversoflife.com Fri May 29 20:37:55 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCB3F3A6407; Fri, 29 May 2009 20:37:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -73.54 X-Spam-Level: X-Spam-Status: No, score=-73.54 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_FAKE_RCVD_LINE_B=5.777, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HTML_FONT_SIZE_HUGE=0.057, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, JOIN_MILLIONS=1.777, MIME_HTML_ONLY=1.457, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1, SARE_MILLIONSOF=0.315, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uk-CmenolFk; Fri, 29 May 2009 20:37:55 -0700 (PDT) Received: from pc-33-211-44-190.cm.vtr.net (pc-33-211-44-190.cm.vtr.net [190.44.211.33]) by core3.amsl.com (Postfix) with ESMTP id 9DBE63A69B7; Fri, 29 May 2009 20:37:54 -0700 (PDT) Received: from 190.44.211.33 by mail.riversoflife.com; Fri, 29 May 2009 23:38:57 -0400 Date: Fri, 29 May 2009 23:38:57 -0400 From: crisp-request@ietf.org X-Mailer: The Bat! (v3.51.10) Professional X-Priority: 3 (Normal) Message-ID: <168789721.89946262031157@riversoflife.com> To: crisp-request@ietf.org Subject: Join millions of Acai Berry users but do it for Free MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit
If you have trouble viewing this e-mail, please click here.

Everyone
Will Want
Your New Secret

ACAI BERRY

Discover the secret today!
Click here for details

To review our Privacy Policy, please click here.

To ensure the delivery of your informative updates from Dr. Lark and the Daily Balance
Team, please add crisp-request@ietf.org to your email address book.

************TO UNSUBSCRIBE************
You are receiving this e-mail at crisp-request@ietf.org because you
indicated an interest in receiving special updates and offers from Dr. Lark.
We hope that you find these updates helpful, but if you would rather not
receive them, you can unsubscribe by clicking here. You will be
immediately unsubscribed from our database. Remember, your personal information
will only be used by Healthy Directions, LLC, for editorial and marketing purposes.
Thank you.

Daily Balance
657 Indian Springs Drive
Lancaster, PA 26940

From owner-namedroppers@ops.ietf.org Fri May 29 21:34:50 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFE7C3A6D6A; Fri, 29 May 2009 21:34:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.665 X-Spam-Level: X-Spam-Status: No, score=-4.665 tagged_above=-999 required=5 tests=[AWL=-0.170, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbB73n1SDOf6; Fri, 29 May 2009 21:34:50 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C984B3A6CDC; Fri, 29 May 2009 21:34:49 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAGCt-000249-ML for namedroppers-data0@psg.com; Sat, 30 May 2009 04:30:07 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAGCi-00023M-IV for namedroppers@ops.ietf.org; Sat, 30 May 2009 04:30:02 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4U4Spv3015411; Sat, 30 May 2009 04:28:51 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4U4SpGB015410; Sat, 30 May 2009 04:28:51 GMT Date: Sat, 30 May 2009 04:28:51 +0000 From: bmanning@vacation.karoshi.com To: Andrew Sullivan Cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter Message-ID: <20090530042851.GA15364@vacation.karoshi.com.> References: <200905291557.n4TFv4ek030806@stora.ogud.com> <20090529231146.GA13071@vacation.karoshi.com.> <20090530012258.GA13757@shinkuro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090530012258.GA13757@shinkuro.com> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Fri, May 29, 2009 at 09:22:58PM -0400, Andrew Sullivan wrote: > On Fri, May 29, 2009 at 11:11:46PM +0000, bmanning@vacation.karoshi.com wrote: > > On Fri, May 29, 2009 at 07:13:57PM +0100, Ray.Bellis@nominet.org.uk wrote: > > > > I would like to see the charter allow for work items that advise on > > > correct _implementation_ (as opposed to _operation_) of the DNS protocols, > > > such as my DNS Proxy BCP draft. > > > Ray steps on a very slippry slope here. Clearly the intent > > is good, but there is the problem of ensuring a correct specification > > on which to measure an implementation. > > Is there something about the correctness of implementation that is > different from "clarifications" to the protocol? Under the principle > of charity, one could easily assume that any case where an implementer > has deviated from the published specifications is attributable to some > lack of clarity on the part of those standards. Under a broad meaning > of "clarification", for instance, we could understand the dnsproxy > draft as clarifying the implications of the protocol in respect of > certain other systems or protocols. It's strictly a focus on the > protocol's implications, and trying to make clear exactly the > protocol's meaning. > > Thoughts? > > A certainly. a protocol is defined by specifications. a spec is written down on paper. an implementation is code built from a spec. clarification to a protocol are supposed to be reflected in the spec. and implementations are supposed to by updated based on changes to the spec. or you could take the view that the code is the protocol spec and clarifications are changes to the code. I think the IETF has a particular bias toward one of these two models. The concern here is how one defines a "correct" implementation. compliant with a specification? If so, how does one assure the specification is "correct"? To my knowledge, the IETF has rarely, if ever, stepped into the implementation compliance validation role. If DNSEXT should chose this path, please do so with eyes (and legal council) wide open. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From muzichuk@alef.ua Sat May 30 05:33:36 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 000B03A703E for ; Sat, 30 May 2009 05:33:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.141 X-Spam-Level: X-Spam-Status: No, score=-12.141 tagged_above=-999 required=5 tests=[APOSTROPHE_FROM=0.001, BAYES_99=3.5, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, HTML_IMAGE_ONLY_16=1.526, HTML_IMAGE_RATIO_04=0.172, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_XBL=3.033, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ifJMAaP-S6MK for ; Sat, 30 May 2009 05:33:35 -0700 (PDT) Received: from 55.85-86-152.dynamic.clientes.euskaltel.es (55.85-86-152.dynamic.clientes.euskaltel.es [85.86.152.55]) by core3.amsl.com (Postfix) with SMTP id 9BD443A7037 for ; Sat, 30 May 2009 05:33:33 -0700 (PDT) To: " Date: Sat, 30 May 2009 05:33:33 -0700 (PDT)

THE SECRETS TO
Subscribe for catalogs
Unsubscribe | Your Privacy Rights

2008 Rodale Inc., all rights reserved.
Customer Service Department, 33 East Minor Street, Emmaus, PA 18098
From lynn_colitz@advantagepayroll.com Sat May 30 07:28:05 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D40E3A68F9 for ; Sat, 30 May 2009 07:28:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.808 X-Spam-Level: X-Spam-Status: No, score=-12.808 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, SARE_UNI=0.591, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SC_SURBL=10, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anlErqaHliSG for ; Sat, 30 May 2009 07:27:58 -0700 (PDT) Received: from alexwolfson.net (unknown [189.81.123.66]) by core3.amsl.com (Postfix) with SMTP id 2B5143A67AA for ; Sat, 30 May 2009 07:27:54 -0700 (PDT) To: dnsext-archive@lists.ietf.org Subject: For next week From: dnsext-archive@lists.ietf.org MIME-Version: 1.0 Importance: High Content-Type: text/html X-Antivirus: avast! (VPS 090529-0, 29/05/2009), Outbound message X-Antivirus-Status: Clean Message-Id: <20090530142756.2B5143A67AA@core3.amsl.com> Date: Sat, 30 May 2009 07:27:54 -0700 (PDT)
Tell a friend · Download latest version See this email as a webpage

Hello!

Shipped Privately And Discreetly To Your Door!
See this email as a webpage
  We want to put a great big grin on your face in 2009. You'll be to rejoice all year.  

Unsubscribe · Lost Password · Account Settings · Help · Terms of Service · Privacy

Ottho Heldringstraat 5, 53889 AZ Amsterdam, The Netherlands
From owner-namedroppers@ops.ietf.org Sat May 30 08:17:59 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABD1E3A701E; Sat, 30 May 2009 08:17:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.434 X-Spam-Level: X-Spam-Status: No, score=-2.434 tagged_above=-999 required=5 tests=[AWL=0.165, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RV9i6riQHsNK; Sat, 30 May 2009 08:17:58 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8CC343A6A62; Sat, 30 May 2009 08:17:58 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAQBO-000IrG-8K for namedroppers-data0@psg.com; Sat, 30 May 2009 15:09:14 +0000 Received: from [2001:470:1f04:392::2] (helo=balder-227.proper.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAQB4-000IpV-G1 for namedroppers@ops.ietf.org; Sat, 30 May 2009 15:09:00 +0000 Received: from [10.20.30.158] (dsl-63-249-108-169.static.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n4UF8pEl056098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 30 May 2009 08:08:52 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: In-Reply-To: <20090530042851.GA15364@vacation.karoshi.com.> References: <200905291557.n4TFv4ek030806@stora.ogud.com> <20090529231146.GA13071@vacation.karoshi.com.> <20090530012258.GA13757@shinkuro.com> <20090530042851.GA15364@vacation.karoshi.com.> Date: Sat, 30 May 2009 08:08:50 -0700 To: bmanning@vacation.karoshi.com, Andrew Sullivan From: Paul Hoffman Subject: Re: [dnsext] Draft DNSEXT charter Cc: namedroppers@ops.ietf.org Content-Type: text/plain; charset="us-ascii" Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 4:28 AM +0000 5/30/09, bmanning@vacation.karoshi.com wrote: >On Fri, May 29, 2009 at 09:22:58PM -0400, Andrew Sullivan wrote: >> On Fri, May 29, 2009 at 11:11:46PM +0000, bmanning@vacation.karoshi.com wrote: >> > On Fri, May 29, 2009 at 07:13:57PM +0100, Ray.Bellis@nominet.org.uk wrote: >> >> > > I would like to see the charter allow for work items that advise on >> > > correct _implementation_ (as opposed to _operation_) of the DNS protocols, >> > > such as my DNS Proxy BCP draft. >> >> > Ray steps on a very slippry slope here. Clearly the intent >> > is good, but there is the problem of ensuring a correct specification >> > on which to measure an implementation. >> > > Is there something about the correctness of implementation that is >> different from "clarifications" to the protocol? Under the principle >> of charity, one could easily assume that any case where an implementer >> has deviated from the published specifications is attributable to some >> lack of clarity on the part of those standards. Under a broad meaning >> of "clarification", for instance, we could understand the dnsproxy >> draft as clarifying the implications of the protocol in respect of >> certain other systems or protocols. It's strictly a focus on the >> protocol's implications, and trying to make clear exactly the >> protocol's meaning. >> >> Thoughts? >> >> A > >certainly. > > a protocol is defined by specifications. > a spec is written down on paper. > an implementation is code built from a spec. > > clarification to a protocol are supposed to be > reflected in the spec. and implementations are > supposed to by updated based on changes to the spec. > > > or you could take the view that the code is the protocol > spec and clarifications are changes to the code. > > > I think the IETF has a particular bias toward one of > these two models. > > The concern here is how one defines a "correct" implementation. > compliant with a specification? If so, how does one assure > the specification is "correct"? > > To my knowledge, the IETF has rarely, if ever, stepped into the > implementation compliance validation role. If DNSEXT should chose > this path, please do so with eyes (and legal council) wide open. This sounds like FUD. It is perfectly reasonable for a standards body to say "In spec A, we said B. After we published A, some implementers interpreted this as B'. Regardless of their reason for doing so, we are updating A to be clearer on what B is, and that it is not B'." --Paul Hoffman, Director --VPN Consortium -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 30 09:32:54 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A8383A6B89; Sat, 30 May 2009 09:32:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.662 X-Spam-Level: X-Spam-Status: No, score=-4.662 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8yU5P7govEbQ; Sat, 30 May 2009 09:32:53 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3C4D53A700B; Sat, 30 May 2009 09:32:53 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MARRM-000P93-Hl for namedroppers-data0@psg.com; Sat, 30 May 2009 16:29:48 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MARRB-000P8J-5M for namedroppers@ops.ietf.org; Sat, 30 May 2009 16:29:43 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4UGSYv3020291; Sat, 30 May 2009 16:28:36 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4UGSVEM020290; Sat, 30 May 2009 16:28:31 GMT Date: Sat, 30 May 2009 16:28:31 +0000 From: bmanning@vacation.karoshi.com To: Paul Hoffman Cc: bmanning@vacation.karoshi.com, Andrew Sullivan , namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter Message-ID: <20090530162831.GA19893@vacation.karoshi.com.> References: <200905291557.n4TFv4ek030806@stora.ogud.com> <20090529231146.GA13071@vacation.karoshi.com.> <20090530012258.GA13757@shinkuro.com> <20090530042851.GA15364@vacation.karoshi.com.> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 30, 2009 at 08:08:50AM -0700, Paul Hoffman wrote: > At 4:28 AM +0000 5/30/09, bmanning@vacation.karoshi.com wrote: > >On Fri, May 29, 2009 at 09:22:58PM -0400, Andrew Sullivan wrote: > >> On Fri, May 29, 2009 at 11:11:46PM +0000, bmanning@vacation.karoshi.com wrote: > >> > On Fri, May 29, 2009 at 07:13:57PM +0100, Ray.Bellis@nominet.org.uk wrote: > >> > >> > > I would like to see the charter allow for work items that advise on > >> > > correct _implementation_ (as opposed to _operation_) of the DNS protocols, > >> > > such as my DNS Proxy BCP draft. > >> > >> > Ray steps on a very slippry slope here. Clearly the intent > >> > is good, but there is the problem of ensuring a correct specification > >> > on which to measure an implementation. > >> > > > Is there something about the correctness of implementation that is > >> different from "clarifications" to the protocol? Under the principle > >> of charity, one could easily assume that any case where an implementer > >> has deviated from the published specifications is attributable to some > >> lack of clarity on the part of those standards. Under a broad meaning > >> of "clarification", for instance, we could understand the dnsproxy > >> draft as clarifying the implications of the protocol in respect of > >> certain other systems or protocols. It's strictly a focus on the > >> protocol's implications, and trying to make clear exactly the > >> protocol's meaning. > >> > >> Thoughts? > >> > >> A > > > >certainly. > > > > a protocol is defined by specifications. > > a spec is written down on paper. > > an implementation is code built from a spec. > > > > clarification to a protocol are supposed to be > > reflected in the spec. and implementations are > > supposed to by updated based on changes to the spec. > > > > > > or you could take the view that the code is the protocol > > spec and clarifications are changes to the code. > > > > > > I think the IETF has a particular bias toward one of > > these two models. > > > > The concern here is how one defines a "correct" implementation. > > compliant with a specification? If so, how does one assure > > the specification is "correct"? > > > > To my knowledge, the IETF has rarely, if ever, stepped into the > > implementation compliance validation role. If DNSEXT should chose > > this path, please do so with eyes (and legal council) wide open. > > This sounds like FUD. It is perfectly reasonable for a standards body to say "In spec A, we said B. After we published A, some implementers interpreted this as B'. Regardless of their reason for doing so, we are updating A to be clearer on what B is, and that it is not B'." > > --Paul Hoffman, Director > --VPN Consortium thats updating a spec, not doing implementation conformance. but perhaps I am old fashioned... i think of an inplementation as code based on a published spec. it seems that some think the implementation is the spec. B will always be B, any update to A will create B' and B != B' my problem here is not B or B', my problem is with understanding who gets to say what is "correct". two different implementations of RFC 1034 can follow that spec correctly and yet not be interoperable. the standards body can certainly declare RFC 1034 to be vague and subjective and rife with ambiguity... but its going to have a tough time claiming an implementation is not correctly implementing RFC 1034. I am pretty sure that it is going to be impossible to be completely objective in defining a protocol or specification that envisions and encompasses all possible edge/corner cases into perpetuity. and as long as there is a subjective facet, we will have to deal w/ "rounding errors". correctness argues for mathmatical proof. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 30 13:56:21 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 360193A69CD; Sat, 30 May 2009 13:56:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.416 X-Spam-Level: X-Spam-Status: No, score=-2.416 tagged_above=-999 required=5 tests=[AWL=-0.117, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QC9PPwpC0OYa; Sat, 30 May 2009 13:56:20 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 933D428C193; Sat, 30 May 2009 13:56:14 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAVVQ-000I0I-DS for namedroppers-data0@psg.com; Sat, 30 May 2009 20:50:16 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAVVF-000Hyo-4W for namedroppers@ops.ietf.org; Sat, 30 May 2009 20:50:10 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n4UKnuvv049009; Sat, 30 May 2009 22:49:57 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905302049.n4UKnuvv049009@givry.fdupont.fr> From: Francis Dupont To: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter In-reply-to: Your message of Fri, 29 May 2009 11:56:59 EDT. <200905291557.n4TFv4ek030806@stora.ogud.com> Date: Sat, 30 May 2009 22:49:56 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: Milestones: Jun 2009 TSIG/MD5 Obsoleting to IESG. Jul 2009 AXFR Clarify to IESG Sep 2009 EDNS0 Ping Option advanced to IESG Oct 2009 Resolver side Forgery Resilience advanced to IESG Oct 2009 DNSSEC Errata document to IESG Nov 2009 GOST DNSKEY and DS support advanced to IESG Dec 2009 ENDS0-bis update advanced to IESG => perhaps I've missed something but I can't find the RSA-SHA256 for DNSSEC (i.e., draft-ietf-dnsext-dnssec-rsasha256) here? Regards Francis.Dupont@fdupont.fr PS: I am sure you know it is critical to get this published and implemented before 2010. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 30 14:45:06 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8817C3A6A80; Sat, 30 May 2009 14:45:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.977 X-Spam-Level: X-Spam-Status: No, score=-0.977 tagged_above=-999 required=5 tests=[AWL=-0.782, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uttZgkx6KYC; Sat, 30 May 2009 14:45:05 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BDA503A697A; Sat, 30 May 2009 14:45:05 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAWJS-000LzN-Ty for namedroppers-data0@psg.com; Sat, 30 May 2009 21:41:58 +0000 Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAWJH-000Lyk-Uz for namedroppers@ops.ietf.org; Sat, 30 May 2009 21:41:53 +0000 Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n4ULfifr048428; Sat, 30 May 2009 17:41:44 -0400 (EDT) (envelope-from ogud@ogud.com) Message-Id: <200905302141.n4ULfifr048428@stora.ogud.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 30 May 2009 17:41:26 -0400 To: "George Barwood" , From: =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair Subject: Re: [dnsext] Draft DNSEXT charter In-Reply-To: <410DE05DE0284BFCB0DC7121717FE229@localhost> References: <200905291557.n4TFv4ek030806@stora.ogud.com> <410DE05DE0284BFCB0DC7121717FE229@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: At 15:51 29/05/2009, George Barwood wrote: > > Hardening DNS protocol against forgery attempts, > >Is hardening DNS protocol against other attacks intended to be excluded? > >While forgery seems the most pressing concern, there are might be >concerns about >authoritative DNSSEC servers being used as DoS amplifiers, for example. > >i.e. possibly substitute "forgery attempts" with "attacks" ? How about just leaving it at "Hardening the DNS protocol" Olafur -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 30 16:32:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79C363A6F5F; Sat, 30 May 2009 16:32:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.495 X-Spam-Level: X-Spam-Status: No, score=-4.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stM0QRS0r+8K; Sat, 30 May 2009 16:32:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 829B23A6E75; Sat, 30 May 2009 16:32:19 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAXz6-0001oz-VF for namedroppers-data0@psg.com; Sat, 30 May 2009 23:29:04 +0000 Received: from [64.18.2.173] (helo=exprod7og110.obsmtp.com) by psg.com with smtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAXyv-0001oA-S3 for namedroppers@ops.ietf.org; Sat, 30 May 2009 23:28:59 +0000 Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob110.postini.com ([64.18.6.12]) with SMTP ID DSNKSiHBM7OvO5SzRHfpNmVJdkb8xOuYUayE@postini.com; Sat, 30 May 2009 16:28:53 PDT Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id BC4F01BD227; Sat, 30 May 2009 16:29:04 -0700 (PDT) Received: from [192.168.1.106] (206.128.65.126) by exchange-01.win.nominum.com (64.89.228.50) with Microsoft SMTP Server (TLS) id 8.1.336.0; Sat, 30 May 2009 16:28:50 -0700 CC: IETF DNSEXT WG Message-ID: <212AEDDB-2CAD-4896-B877-D557BAA2D475@nominum.com> From: Ted Lemon To: In-Reply-To: <20090530162831.GA19893@vacation.karoshi.com.> Content-Type: text/plain; charset="US-ASCII"; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit MIME-Version: 1.0 (Apple Message framework v935.3) Subject: Re: [dnsext] Draft DNSEXT charter Date: Sat, 30 May 2009 16:28:49 -0700 References: <200905291557.n4TFv4ek030806@stora.ogud.com> <20090529231146.GA13071@vacation.karoshi.com.> <20090530012258.GA13757@shinkuro.com> <20090530042851.GA15364@vacation.karoshi.com.> <20090530162831.GA19893@vacation.karoshi.com.> X-Mailer: Apple Mail (2.935.3) Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On May 30, 2009, at 9:28 AM, bmanning@vacation.karoshi.com wrote: > two different implementations of RFC 1034 can follow that spec > correctly and yet not be interoperable. When this happens, it means that the spec needs further work before it can progress to standard. Which is, in fact, pretty much what Paul said that you seem to be disagreeing with. A spec that can produce conforming but not interoperable implementations does not document either B or B', and it is not a standard. It's entirely in scope for the IETF to decide to clarify the spec so that it unambiguously documents B, and excludes B'. That's what it means for a spec to progress on the standards track. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sat May 30 17:42:01 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31B003A6A0C; Sat, 30 May 2009 17:42:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.659 X-Spam-Level: X-Spam-Status: No, score=-4.659 tagged_above=-999 required=5 tests=[AWL=-0.164, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCONu6bnKrxq; Sat, 30 May 2009 17:42:00 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2DC4A3A69DE; Sat, 30 May 2009 17:42:00 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAZ3m-00065Q-GI for namedroppers-data0@psg.com; Sun, 31 May 2009 00:37:58 +0000 Received: from [198.32.6.68] (helo=vacation.karoshi.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAZ3b-00063b-Dg for namedroppers@ops.ietf.org; Sun, 31 May 2009 00:37:52 +0000 Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id n4V0agv3023710; Sun, 31 May 2009 00:36:42 GMT Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id n4V0ag7O023709; Sun, 31 May 2009 00:36:42 GMT Date: Sun, 31 May 2009 00:36:42 +0000 From: bmanning@vacation.karoshi.com To: Ted Lemon Cc: bmanning@vacation.karoshi.com, IETF DNSEXT WG Subject: Re: [dnsext] Draft DNSEXT charter Message-ID: <20090531003642.GA23664@vacation.karoshi.com.> References: <200905291557.n4TFv4ek030806@stora.ogud.com> <20090529231146.GA13071@vacation.karoshi.com.> <20090530012258.GA13757@shinkuro.com> <20090530042851.GA15364@vacation.karoshi.com.> <20090530162831.GA19893@vacation.karoshi.com.> <212AEDDB-2CAD-4896-B877-D557BAA2D475@nominum.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <212AEDDB-2CAD-4896-B877-D557BAA2D475@nominum.com> User-Agent: Mutt/1.4.1i Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sat, May 30, 2009 at 04:28:49PM -0700, Ted Lemon wrote: > On May 30, 2009, at 9:28 AM, bmanning@vacation.karoshi.com wrote: > > two different implementations of RFC 1034 can follow that spec > > correctly and yet not be interoperable. > > When this happens, it means that the spec needs further work before it > can progress to standard. Which is, in fact, pretty much what Paul > said that you seem to be disagreeing with. A spec that can produce > conforming but not interoperable implementations does not document > either B or B', and it is not a standard. It's entirely in scope for > the IETF to decide to clarify the spec so that it unambiguously > documents B, and excludes B'. That's what it means for a spec to > progress on the standards track. or - as in the case above, it is a standard, but a flawed one. no arguement about the IETF role as you indicate. where I think things run off the rails is when the IETF tells implementations that they are non-conformant. the IETF has never done conformance testing of implementations. it does protocols and specs. the trick (as Roy called for) was who and how "correctness" is decided for either a protocol, a spec, or an implementation. if we (the IETF) are truely rigourous in our specifications, multiple independent implementations will be virtually identical. math proofs are kind of like that. --bill -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 01:09:59 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9CA9B3A6A6F; Sun, 31 May 2009 01:09:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.055 X-Spam-Level: X-Spam-Status: No, score=-0.055 tagged_above=-999 required=5 tests=[AWL=-0.805, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EW4EpPM+rtq9; Sun, 31 May 2009 01:09:59 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BF9B53A67D8; Sun, 31 May 2009 01:09:58 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAfzw-0004j0-Vc for namedroppers-data0@psg.com; Sun, 31 May 2009 08:02:28 +0000 Received: from [212.9.189.167] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAfzl-0004i6-Po for namedroppers@ops.ietf.org; Sun, 31 May 2009 08:02:23 +0000 Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1MAfzg-0006h4-GM; Sun, 31 May 2009 10:02:12 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1MAfzg-00027j-2K; Sun, 31 May 2009 10:02:12 +0200 From: Florian Weimer To: Francis Dupont Cc: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= /DNSEXT chair , namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter References: <200905302049.n4UKnuvv049009@givry.fdupont.fr> Date: Sun, 31 May 2009 10:02:12 +0200 In-Reply-To: <200905302049.n4UKnuvv049009@givry.fdupont.fr> (Francis Dupont's message of "Sat, 30 May 2009 22:49:56 +0200") Message-ID: <87r5y566pn.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Francis Dupont: > PS: I am sure you know it is critical to get this published and > implemented before 2010. This time frame is impossible to achieve due to the dependency on NSEC3. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 01:47:45 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BEA513A6A05; Sun, 31 May 2009 01:47:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[AWL=-0.761, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1r2rXPzUm6kt; Sun, 31 May 2009 01:47:45 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E4B893A69DE; Sun, 31 May 2009 01:47:44 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAgev-0007Kb-Ee for namedroppers-data0@psg.com; Sun, 31 May 2009 08:44:49 +0000 Received: from [212.9.189.167] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAgek-0007Jk-Ko for namedroppers@ops.ietf.org; Sun, 31 May 2009 08:44:44 +0000 Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1MAgeg-0007NZ-En; Sun, 31 May 2009 10:44:34 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1MAgef-0002Ew-CX; Sun, 31 May 2009 10:44:33 +0200 From: Florian Weimer To: Paul Vixie Cc: "Bart Smit" , namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> Date: Sun, 31 May 2009 10:44:33 +0200 In-Reply-To: <19043.1242398302@nsa.vix.com> (Paul Vixie's message of "Fri, 15 May 2009 14:38:22 +0000") Message-ID: <87zlct4q6m.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: * Paul Vixie: > it's controversial because it only works when it works, and when it fails, > there's no distinction between an attack and a failure. we were not idiots > back in the old days when EDNS was being crafted. we knew we needed a > larger QID. we tried hard to include it. there's no way to do it and > still properly negotiate EDNS. But this is not the fault of any extended query ID proposal, it's the fault of EDNS. DNSCurve shows a fully backwards-compatible way to signal protocol version information to recursive resolvers. I mean, let's look at what elements of EDNS0 actually work: * extended RCODEs (but I'm not sure about that) * extended query flags (the DO bit seems pretty interoperable, even though it's overused, but this is not EDNS0's fault) What does not work: * the official fallback algorithm (section 5.3) * large responses (interoperability problems, DoS amplification) * extended label types (already officially dead) * options (a FORMERR/SERVFAIL does not tell you which option caused the error, making fallback impossible; there is also a significant non-interoperating server base) I wonder if there should be an actually working EDNS0 replacement which could then be used to implement extended query IDs. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 08:22:26 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D5BE028C1BD; Sun, 31 May 2009 08:22:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.16 X-Spam-Level: X-Spam-Status: No, score=0.16 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTcZHNe-KNZy; Sun, 31 May 2009 08:22:24 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5AA5F3A6B88; Sun, 31 May 2009 08:22:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAmmC-0007KX-Af for namedroppers-data0@psg.com; Sun, 31 May 2009 15:16:44 +0000 Received: from [74.125.44.28] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAmls-0007J3-O6 for namedroppers@ops.ietf.org; Sun, 31 May 2009 15:16:38 +0000 Received: by yx-out-2324.google.com with SMTP id 8so3550228yxm.71 for ; Sun, 31 May 2009 08:16:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.86.10 with SMTP id j10mr2893863agb.116.1243782983345; Sun, 31 May 2009 08:16:23 -0700 (PDT) Date: Sun, 31 May 2009 08:16:23 -0700 Message-ID: Subject: Re: [dnsext] DNSCurve From: Matthew Dempsky To: Florian Weimer Cc: "namedroppers@ops.ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sun, May 31, 2009 at 1:27 AM, Florian Weimer wrote: > How is the cryptographic box created? =A0I can't find information on > that on the web pages, only the key agreement protocol is described. Yes, the current pages do not yet define this (and I agree they should). My DNSCurve implementations use the crypto_box_curve25519xsalsa20poly1305 functions from the NaCl library[1]. Additionally, Dan has written a paper validating NaCl's implementation, and explaining how it combines the primitives[2]. Finally, I've written a simple Python implementation that implements roughly the same APIs as NaCl[3]. (However, beware that [3] has not received as much validation testing as [1] or [2].) [1] http://nacl.cace-project.eu/box.html [2] http://cr.yp.to/highspeed/naclcrypto-20090310.pdf [3] http://github.com/mrd/dnscurve/tree/991bede3a659ffe56bbb96d0067b7cabf1b= 1df1f/slownacl -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 09:06:40 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1850D28C1BA; Sun, 31 May 2009 09:06:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.434 X-Spam-Level: X-Spam-Status: No, score=-2.434 tagged_above=-999 required=5 tests=[AWL=0.165, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99QB27grIlQO; Sun, 31 May 2009 09:06:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 272143A69AE; Sun, 31 May 2009 09:06:39 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAnVd-000AW5-Ip for namedroppers-data0@psg.com; Sun, 31 May 2009 16:03:41 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAnVS-000AV6-9x for namedroppers@ops.ietf.org; Sun, 31 May 2009 16:03:35 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id DE3FCA3F26; Sun, 31 May 2009 16:03:29 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Florian Weimer cc: "Bart Smit" , namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING In-Reply-To: Your message of "Sun, 31 May 2009 10:44:33 +0200." <87zlct4q6m.fsf@mid.deneb.enyo.de> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> <87zlct4q6m.fsf@mid.deneb.enyo.de> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Sun, 31 May 2009 16:03:29 +0000 Message-ID: <21190.1243785809@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: Florian Weimer > Date: Sun, 31 May 2009 10:44:33 +0200 > > * Paul Vixie: > > > it's controversial because it only works when it works, and when it > > fails, there's no distinction between an attack and a failure. we were > > not idiots back in the old days when EDNS was being crafted. we knew > > we needed a larger QID. we tried hard to include it. there's no way > > to do it and still properly negotiate EDNS. > > But this is not the fault of any extended query ID proposal, it's the > fault of EDNS. right. > DNSCurve shows a fully backwards-compatible way to signal protocol > version information to recursive resolvers. > > I mean, let's look at what elements of EDNS0 actually work: > > * extended RCODEs (but I'm not sure about that) > > * extended query flags (the DO bit seems pretty interoperable, even > though it's overused, but this is not EDNS0's fault) > > What does not work: > > * the official fallback algorithm (section 5.3) > > * large responses (interoperability problems, DoS amplification) > > * extended label types (already officially dead) > > * options (a FORMERR/SERVFAIL does not tell you which option caused > the error, making fallback impossible; there is also a significant > non-interoperating server base) > > I wonder if there should be an actually working EDNS0 replacement > which could then be used to implement extended query IDs. you forgot "fragmentation is bad". (dnscurve avoids this with small crypto.) TCP/53 is unusable for queries for a variety of reasons of its own. that's why i'm pounding the table for SCTP/53, on which EDNS wouldn't be optional, therefore avoiding the fallback problems. EDNS PING isn't needed in SCTP due to SCTP's own transport protection, but if needed it would work, since EDNS would not be optional (no fallback problem.) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 10:41:23 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8F1D3A68E4; Sun, 31 May 2009 10:41:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.157 X-Spam-Level: X-Spam-Status: No, score=0.157 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id np087-5ohknY; Sun, 31 May 2009 10:41:23 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 07DFE3A68B1; Sun, 31 May 2009 10:41:23 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAozT-000Hj8-6Y for namedroppers-data0@psg.com; Sun, 31 May 2009 17:38:35 +0000 Received: from [74.125.44.28] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAozI-000Hi5-E0 for namedroppers@ops.ietf.org; Sun, 31 May 2009 17:38:29 +0000 Received: by yx-out-2324.google.com with SMTP id 8so3573992yxm.71 for ; Sun, 31 May 2009 10:38:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.68.20 with SMTP id q20mr4366287aga.93.1243791502712; Sun, 31 May 2009 10:38:22 -0700 (PDT) In-Reply-To: <21190.1243785809@nsa.vix.com> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> <87zlct4q6m.fsf@mid.deneb.enyo.de> <21190.1243785809@nsa.vix.com> Date: Sun, 31 May 2009 10:38:22 -0700 Message-ID: Subject: Re: [dnsext] Support for EDSN0 PING From: Matthew Dempsky To: Paul Vixie Cc: Florian Weimer , Bart Smit , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sun, May 31, 2009 at 9:03 AM, Paul Vixie wrote: > that's why i'm pounding the table for SCTP/53, on which EDNS wouldn't be > optional, therefore avoiding the fallback problems. During the transition to SCTP/53, how do you avoid the fallback problem? Do servers pre-announce SCTP support somehow? If so, couldn't you use the same means to announce EDNS support for UDP/53? If not, couldn't an attacker force a cache to fallback to UDP/53 without EDNS? -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 10:48:29 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2134A3A6D7E; Sun, 31 May 2009 10:48:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.439 X-Spam-Level: X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[AWL=0.160, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOgAkOEG4Q+9; Sun, 31 May 2009 10:48:28 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 493743A68B0; Sun, 31 May 2009 10:48:28 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAp7U-000IKd-A0 for namedroppers-data0@psg.com; Sun, 31 May 2009 17:46:52 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAp7J-000IJh-5C for namedroppers@ops.ietf.org; Sun, 31 May 2009 17:46:46 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id CD010A3F47; Sun, 31 May 2009 17:46:40 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "George Barwood" cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] EDNS clarification In-Reply-To: Your message of "Sun, 31 May 2009 17:52:36 +0100." <0DDF0F7469A34C1DB05A4F735413F949@localhost> References: <0DDF0F7469A34C1DB05A4F735413F949@localhost> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Sun, 31 May 2009 17:46:40 +0000 Message-ID: <25259.1243792000@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: "George Barwood" > Date: Sun, 31 May 2009 17:52:36 +0100 > > RFC 2671 does not appear to explicitly document how an EDNS responder > should treat unrecognised options. > > May I suggest that any future revision of RFC 2671 ( and/or the > "Clarifications and Implementation Notes for DNSSECbis" document ), > should contain a statement along the lines: > > "Responders MUST disregard (ignore) unrecognised EDNS options." this was the topic of an I-D some years ago by rob austein entitled EDNS0_5 but it didn't reach escape velocity since the WG did not reach consensus as to the need for a version number change to reflect this behaviour. > This may seem fairly obvious, and I assume this was the intention, but > given the history of DNS, I think an explicit statement would be best. > > Fortunately existing EDNS implementations do seem to follow this policy. agreed. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 10:59:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFB3A3A6E6B; Sun, 31 May 2009 10:59:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.443 X-Spam-Level: X-Spam-Status: No, score=-2.443 tagged_above=-999 required=5 tests=[AWL=0.156, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5NgN8FuvrCE; Sun, 31 May 2009 10:59:08 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id DBDF23A6E60; Sun, 31 May 2009 10:59:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApGm-000JC0-Ko for namedroppers-data0@psg.com; Sun, 31 May 2009 17:56:28 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApGW-000J9V-2x for namedroppers@ops.ietf.org; Sun, 31 May 2009 17:56:22 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id BE678A3F3F; Sun, 31 May 2009 17:56:11 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "George Barwood" cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] EDNS Ping fallbacks In-Reply-To: Your message of "Sun, 31 May 2009 18:16:40 +0100." References: X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Sun, 31 May 2009 17:56:11 +0000 Message-ID: <25643.1243792571@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: "George Barwood" > Date: Sun, 31 May 2009 18:16:40 +0100 > > There seems to be a perception that EDNS Ping "does not work", because a > spoof response that does not contain the Ping option will be accepted. not merely "will be accepted" but "must be accepted". > This is true for a naive use of EDNS Ping, but it does not mean EDNS Ping > is not useful. > > There are many possible strategies that can be used. > > (1) Send two (Ping) requests in parallel. If both come back with no Ping, > assume the server has not yet implemented EDNS Ping, and accept either. > > Disadvantage: security with servers that have not been upgraded is not > improved. there are lots of other disadvantages to this including increased load on networks and servers, and loss of determinism when both responses come back with or without PING but the two answer sections differ. > (2) Send a single (Ping) request. If the response does not have the Ping, > and "BadID environment*" is poor, return SERVFAIL, and alert the > operator. > > Disadvantage: attacker can force DoS if server has not been upgraded. we should have learned by now that giving attackers the ability to alter our behaviour modally is an automatic lose, a guaranteed bad idea, even if we don't know up front how they would use it. so, do not underestimate the strength of the disadvantage you have noted here. > (3) Adopt more complex fallbacks, such as comparing multiple responses to > infer a safe result, or a restrictive ( but less efficient ) cache > policy. loss of determinism is bad. and, there's no reason why any two valid responses would ever have the same answer section. do not underestimate the strength of the disadvantage you have noted here. > Clients may also maintain state information to minimise the number of > extra packets required. in EDNS the requestor (i won't say "client" -- i'm thinking server-to-server) only has to hold state about unupgraded responders, with the intent being that this state load drops over time (as the internet upgrades). new state loads should be evaluated along the same metric. > This description of possible fallbacks is certainly not complete, but we > don't need to fully understand all the possible strategies to see that > EDNS Ping MAY be a useful and practical way to improve DNS security and > efficiency. i disagree. you have effectively and resoundingly damned EDNS here for any kind of extended TXID. (that's why EDNS did not include such originally.) we have to start a transition away from UDP/53 (which is not upgradeable in place due to many failings including reliance on IP fragmentation) and TCP/53 (which is too fragile to be relied upon for queries, even as a fallback). i don't think we should exert more energy on these two transports now that we know what the problems really are. let's consider SCTP. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 11:00:11 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8AB9F3A6F1C; Sun, 31 May 2009 11:00:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[AWL=0.153, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csNS9AmV6o7p; Sun, 31 May 2009 11:00:10 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AC5F43A6EFA; Sun, 31 May 2009 11:00:10 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApJ3-000JSV-IE for namedroppers-data0@psg.com; Sun, 31 May 2009 17:58:49 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApIs-000JQn-Dk for namedroppers@ops.ietf.org; Sun, 31 May 2009 17:58:43 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 15D43A3F4A; Sun, 31 May 2009 17:58:38 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Matthew Dempsky cc: Florian Weimer , Bart Smit , namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING In-Reply-To: Your message of "Sun, 31 May 2009 10:38:22 MST." References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> <87zlct4q6m.fsf@mid.deneb.enyo.de> <21190.1243785809@nsa.vix.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Sun, 31 May 2009 17:58:38 +0000 Message-ID: <25706.1243792718@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Sun, 31 May 2009 10:38:22 -0700 > From: Matthew Dempsky > > On Sun, May 31, 2009 at 9:03 AM, Paul Vixie wrote: > > that's why i'm pounding the table for SCTP/53, on which EDNS wouldn't be > > optional, therefore avoiding the fallback problems. > > During the transition to SCTP/53, how do you avoid the fallback problem? > Do servers pre-announce SCTP support somehow? If so, couldn't you use > the same means to announce EDNS support for UDP/53? If not, couldn't an > attacker force a cache to fallback to UDP/53 without EDNS? i was not considering any kind of advertisement. years ago we talked about an "ENS" record that would include some nameserver attributes, but it's not a good idea for the reasons you provided. EDNS is subject to trivial downgrade attacks. SCTP is not. viva la difference! -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 11:11:20 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 404EA3A6F48; Sun, 31 May 2009 11:11:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.191 X-Spam-Level: X-Spam-Status: No, score=0.191 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDI6caAkrtBQ; Sun, 31 May 2009 11:11:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2ACD93A6F7F; Sun, 31 May 2009 11:11:00 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApSh-000Kkc-Kl for namedroppers-data0@psg.com; Sun, 31 May 2009 18:08:47 +0000 Received: from [209.85.217.160] (helo=mail-gx0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApSW-000Kib-FV for namedroppers@ops.ietf.org; Sun, 31 May 2009 18:08:41 +0000 Received: by gxk4 with SMTP id 4so335097gxk.17 for ; Sun, 31 May 2009 11:08:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.93.8 with SMTP id q8mr4448466agb.12.1243793314530; Sun, 31 May 2009 11:08:34 -0700 (PDT) In-Reply-To: <25706.1243792718@nsa.vix.com> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> <87zlct4q6m.fsf@mid.deneb.enyo.de> <21190.1243785809@nsa.vix.com> <25706.1243792718@nsa.vix.com> Date: Sun, 31 May 2009 11:08:34 -0700 Message-ID: Subject: Re: [dnsext] Support for EDSN0 PING From: Matthew Dempsky To: Paul Vixie Cc: Florian Weimer , Bart Smit , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sun, May 31, 2009 at 10:58 AM, Paul Vixie wrote: > EDNS is subject to trivial downgrade attacks. =A0SCTP is not. =A0viva la > difference! I'm not talking about downgrading from SCTP-with-EDNS to SCTP-without-EDNS. I'm talking about downgrading from SCTP-with-EDNS to UDP-without-EDNS. An attacker can flood a name server with traffic so it cannot handle DNS queries over SCTP or UDP. It can then try to send forged UDP-without-EDNS responses. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 11:22:25 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 532EF3A6F57; Sun, 31 May 2009 11:22:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u79tBa8cFLrZ; Sun, 31 May 2009 11:22:24 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 66F263A69E5; Sun, 31 May 2009 11:22:24 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApdJ-000LpQ-SI for namedroppers-data0@psg.com; Sun, 31 May 2009 18:19:45 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApd8-000Loa-Kx for namedroppers@ops.ietf.org; Sun, 31 May 2009 18:19:39 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 52416A3F37; Sun, 31 May 2009 18:19:34 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Matthew Dempsky cc: Florian Weimer , Bart Smit , namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING In-Reply-To: Your message of "Sun\, 31 May 2009 11\:08\:34 MST." References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> <87zlct4q6m.fsf@mid.deneb.enyo.de> <21190.1243785809@nsa.vix.com> <25706.1243792718@nsa.vix.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Sun, 31 May 2009 18:19:34 +0000 Message-ID: <26587.1243793974@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Sun, 31 May 2009 11:08:34 -0700 > From: Matthew Dempsky >=20 > On Sun, May 31, 2009 at 10:58 AM, Paul Vixie wrote: > > EDNS is subject to trivial downgrade attacks. =A0SCTP is not. =A0viva la > > difference! >=20 > I'm not talking about downgrading from SCTP-with-EDNS to > SCTP-without-EDNS. I'm talking about downgrading from SCTP-with-EDNS to > UDP-without-EDNS. yes. > An attacker can flood a name server with traffic so it cannot handle > DNS queries over SCTP or UDP. It can then try to send forged > UDP-without-EDNS responses. i think you should study SCTP harder to find out if it's anywhere near as fragile as EDNS/UDP/53 or TCP/53 when it comes to forcing a failure in order to force a downgrade. my own evaluation says: nowhere near. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 11:27:39 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA2B83A6CB8; Sun, 31 May 2009 11:27:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.188 X-Spam-Level: X-Spam-Status: No, score=0.188 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAljxPSy+WBR; Sun, 31 May 2009 11:27:39 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 11E543A6836; Sun, 31 May 2009 11:27:39 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApjq-000MKE-19 for namedroppers-data0@psg.com; Sun, 31 May 2009 18:26:30 +0000 Received: from [209.85.217.160] (helo=mail-gx0-f160.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApjf-000MJH-0h for namedroppers@ops.ietf.org; Sun, 31 May 2009 18:26:24 +0000 Received: by gxk4 with SMTP id 4so348885gxk.17 for ; Sun, 31 May 2009 11:26:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.90.90.4 with SMTP id n4mr2998667agb.113.1243794376633; Sun, 31 May 2009 11:26:16 -0700 (PDT) In-Reply-To: <26587.1243793974@nsa.vix.com> References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> <87zlct4q6m.fsf@mid.deneb.enyo.de> <21190.1243785809@nsa.vix.com> <25706.1243792718@nsa.vix.com> <26587.1243793974@nsa.vix.com> Date: Sun, 31 May 2009 11:26:16 -0700 Message-ID: Subject: Re: [dnsext] Support for EDSN0 PING From: Matthew Dempsky To: Paul Vixie Cc: Florian Weimer , Bart Smit , namedroppers@ops.ietf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: On Sun, May 31, 2009 at 11:19 AM, Paul Vixie wrote: > i think you should study SCTP harder to find out if it's anywhere near > as fragile as EDNS/UDP/53 or TCP/53 when it comes to forcing a failure > in order to force a downgrade. =A0my own evaluation says: nowhere near. SCTP can guarantee success even when the server's bandwidth is saturated by a DoS attack? -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 11:28:19 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3B3728C1C6; Sun, 31 May 2009 11:28:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.454 X-Spam-Level: X-Spam-Status: No, score=-2.454 tagged_above=-999 required=5 tests=[AWL=0.145, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNwUOTYT+Ou7; Sun, 31 May 2009 11:28:19 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D659C28C1C3; Sun, 31 May 2009 11:28:18 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApkv-000MPa-Bg for namedroppers-data0@psg.com; Sun, 31 May 2009 18:27:37 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MApkj-000MOS-Mu for namedroppers@ops.ietf.org; Sun, 31 May 2009 18:27:31 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 60B71A3F0D; Sun, 31 May 2009 18:27:25 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Matthew Dempsky cc: Florian Weimer , Bart Smit , namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING In-Reply-To: Your message of "Sun\, 31 May 2009 11\:26\:16 MST." References: <98e2a81a562a596987b0c052126e75a3.squirrel@mx.pipe.nl> <19043.1242398302@nsa.vix.com> <87zlct4q6m.fsf@mid.deneb.enyo.de> <21190.1243785809@nsa.vix.com> <25706.1243792718@nsa.vix.com> <26587.1243793974@nsa.vix.com> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Sun, 31 May 2009 18:27:25 +0000 Message-ID: <26985.1243794445@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > Date: Sun, 31 May 2009 11:26:16 -0700 > From: Matthew Dempsky >=20 > On Sun, May 31, 2009 at 11:19 AM, Paul Vixie wrote: > > i think you should study SCTP harder to find out if it's anywhere near > > as fragile as EDNS/UDP/53 or TCP/53 when it comes to forcing a failure > > in order to force a downgrade. =A0my own evaluation says: nowhere near. >=20 > SCTP can guarantee success even when the server's bandwidth is > saturated by a DoS attack? of course not. nothing can. but it doesn't take anywhere near that much bandwidth to force failures on EDNS/UDP/53 or TCP/53. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 13:19:02 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B49328C1FE; Sun, 31 May 2009 13:19:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SWYmozwecD4i; Sun, 31 May 2009 13:19:01 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9B9913A680F; Sun, 31 May 2009 13:18:40 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MArL8-0003kv-VV for namedroppers-data0@psg.com; Sun, 31 May 2009 20:09:06 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MArKx-0003jY-8P for namedroppers@ops.ietf.org; Sun, 31 May 2009 20:09:00 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id DEFCCA3F52; Sun, 31 May 2009 20:08:54 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: "George Barwood" cc: namedroppers@ops.ietf.org Subject: Re: [dnsext] EDNS clarification In-Reply-To: Your message of "Sun, 31 May 2009 20:55:50 +0100." <9BE0858B6A224BC99BE980ABE84C4677@localhost> References: <0DDF0F7469A34C1DB05A4F735413F949@localhost> <25259.1243792000@nsa.vix.com> <9BE0858B6A224BC99BE980ABE84C4677@localhost> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Sun, 31 May 2009 20:08:54 +0000 Message-ID: <31034.1243800534@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: "George Barwood" > Date: Sun, 31 May 2009 20:54:19 +0100 > > >> There seems to be a perception that EDNS Ping "does not work", because a > >> spoof response that does not contain the Ping option will be accepted. > > > > not merely "will be accepted" but "must be accepted". > > It is entirely a matter of local policy what a the requestor chooses to > accept. that's just not true. > > there are lots of other disadvantages to this including increased load > > on networks and servers, > > I don't believe the extra network/server load is significant. Once most > servers are upgraded, clients would only send a single packet initially, > and send the second only if no PING was received. you're assuming a lot here. like, most servers will be upgrade. and, there aren't a huge and growing and high-churn lot of initiators. and, servers are real boxes not anycast clusters which might not all have been upgraded. and, servers are never downgraded. i do not share those assumptions. > > and loss of determinism when both responses come back > > with or without PING but the two answer sections differ. > > No, if any response comes back with PING it can be safely accepted, and > all other responses ignored. so you'd go with the first response you receive even if the first and second were reorded in transit. this is a loss of determinism. > >> (2) Send a single (Ping) request. If the response does not have the > >> Ping, and "BadID environment*" is poor, return SERVFAIL, and alert the > >> operator. > >> > >> Disadvantage: attacker can force DoS if server has not been upgraded. > > > > we should have learned by now that giving attackers the ability to > > alter our behaviour modally is an automatic lose, a guaranteed bad > > idea, even if we don't know up front how they would use it. so, do not > > underestimate the strength of the disadvantage you have noted here. > > It's up to the requestors local policy, for many applications I think (2) > would be completely practical. An attacker gains very little from this > DoS attack, so I doubt it would be a significant problem. if you think that any of us is smarter today than attackers will be tomorrow, and that it is therefore safe to give attackers a "mode switch" on our DNS initiators, then there is an unbridgeable gap in our understandings. > > ... you have effectively and resoundingly damned EDNS here for any > > kind of extended TXID. (that's why EDNS did not include such > > originally.) > > > > we have to start a transition away from UDP/53 (which is not > > upgradeable in place due to many failings including reliance on IP > > fragmentation) and TCP/53 (which is too fragile to be relied upon for > > queries, even as a fallback). i don't think we should exert more > > energy on these two transports now that we know what the problems > > really are. let's consider SCTP. > > I don't think SCTP is a good solution, the extra latency would I believe > be unacceptable. what extra latency? session setup is two packets. data is exchanged in the second round trip. session setup is lightweight, there's no reason to close sessions unless you have more than 10X as many sessions are there are authority and recursive nameservers on the internet today. what extra latency? > Two Ping requests are similar to an SCTP transaction, but have the > advantage that there is no extra latency. EDNS is subject to downgrade attacks far more trivial than those needed for SCTP, and EDNS depends on IP fragmentation for large message sizes which has not worked out very well for us so far. > For large (typically DNSSEC) responses, SCTP (or similar) may be a good > idea, but that is a seperate issue. the need for large responses is not typically for DNSSEC, though that will change as DNSSEC gets more widely deployed. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 14:58:26 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC94D3A6DB1; Sun, 31 May 2009 14:58:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xE8rSjM7wA3y; Sun, 31 May 2009 14:58:26 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D01EC3A6D28; Sun, 31 May 2009 14:58:25 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAsxK-000AZX-U6 for namedroppers-data0@psg.com; Sun, 31 May 2009 21:52:38 +0000 Received: from [2001:41d0:1:6d55:211:5bff:fe98:d51e] (helo=givry.fdupont.fr) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAswx-000AYR-47 for namedroppers@ops.ietf.org; Sun, 31 May 2009 21:52:28 +0000 Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.13.8/8.13.8) with ESMTP id n4VLqAi5055385; Sun, 31 May 2009 23:52:10 +0200 (CEST) (envelope-from dupont@givry.fdupont.fr) Message-Id: <200905312152.n4VLqAi5055385@givry.fdupont.fr> From: Francis Dupont To: Florian Weimer cc: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= /DNSEXT chair , namedroppers@ops.ietf.org Subject: Re: [dnsext] Draft DNSEXT charter In-reply-to: Your message of Sun, 31 May 2009 10:02:12 +0200. <87r5y566pn.fsf@mid.deneb.enyo.de> Date: Sun, 31 May 2009 23:52:10 +0200 Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: In your previous mail you wrote: * Francis Dupont: > PS: I am sure you know it is critical to get this published and > implemented before 2010. This time frame is impossible to achieve due to the dependency on NSEC3. => can you detail? Do you mean it is impossible to get it published in time? implemented? Or the issue is begin/end of 2010 (in http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html the wording is "after 2010" so perhaps we have until the end of 2010 but for deployment in a limited context, so harder target too)? Thanks Francis.Dupont@fdupont.fr -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: From owner-namedroppers@ops.ietf.org Sun May 31 17:31:08 2009 Return-Path: X-Original-To: ietfarch-dnsext-archive@core3.amsl.com Delivered-To: ietfarch-dnsext-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C85EA3A67F4; Sun, 31 May 2009 17:31:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.299 X-Spam-Level: X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COhg25EQZqcB; Sun, 31 May 2009 17:31:07 -0700 (PDT) Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 99DEF3A67D2; Sun, 31 May 2009 17:31:07 -0700 (PDT) Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAvKN-000K3f-Ml for namedroppers-data0@psg.com; Mon, 01 Jun 2009 00:24:35 +0000 Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MAvKC-000K2u-8J for namedroppers@ops.ietf.org; Mon, 01 Jun 2009 00:24:29 +0000 Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id CE990A3FCB; Mon, 1 Jun 2009 00:24:23 +0000 (UTC) (envelope-from vixie@nsa.vix.com) From: Paul Vixie To: Mark Andrews cc: Florian Weimer , "Bart Smit" , namedroppers@ops.ietf.org Subject: Re: [dnsext] Support for EDSN0 PING In-Reply-To: Your message of "Mon, 01 Jun 2009 10:04:24 +1000." <200906010004.n5104OI9059004@drugs.dv.isc.org> References: <200906010004.n5104OI9059004@drugs.dv.isc.org> X-Mailer: MH-E 8.1; nil; GNU Emacs 22.2.1 Date: Mon, 01 Jun 2009 00:24:23 +0000 Message-ID: <44462.1243815863@nsa.vix.com> Sender: owner-namedroppers@ops.ietf.org Precedence: bulk List-ID: > From: Mark Andrews > Date: Mon, 01 Jun 2009 10:04:24 +1000 > > > > * extended RCODEs (but I'm not sure about that) > > extended RCODEs were badly done. We should have had a basic > rcode which indicated that there was a extended rcode in the > OPT record. Concatentating the bits was a bad idea. agreed, but i don't think we'll see a change to this in EDNS1 (or ever.) > > > What does not work: > > > > > > * the official fallback algorithm (section 5.3) > > It actually works quite well 99.999% of the time. It doesn't > work when you talk to non RFC 1034 compliant servers or you > have firewalls that interfere with DNS UDP messages. > > To work around non-compliant servers and firewalls a second > fallback algorithm is needed to take into account timeouts. maybe a BCP on this would be of general interest to the community? > > > * large responses (interoperability problems, DoS amplification) > > Moving to SCTP won't get rid of the DoS amplification problem > as we can never stop servicing UDP/53 queries. BCP 38 > deployment is the best way to stop DoS amplifications. BCP38 is even less likely than universal switchover from UDP/53 to SCTP, so let's take a fresh look. SCTP isn't spoofable in the way UDP/53 is, so the thing you can get DoS-amp'd with is SCTP setup packets, which are small and which could potentially be handled by a hardware front end far upstream of protection-worthy servers. in other words SCTP is my hope for making secure robust reliable DNS connectivity possible for cooperating on-the-ball up-to-date operators, because otherwise we've just got UDP/53 (with or without EDNS) and TCP/53, neither of which can be made robust or reliable (ever, period). -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: