Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [dnsext] Reminder: two WGLC closing in one week

0 views
Skip to first unread message

Florian Weimer

unread,
Oct 2, 2008, 4:38:29 AM10/2/08
to
* Mark Andrews:

>> DO necessarily implies UD because the synthesized CNAME is not signed
>> and thus not visible to a DNSSEC client (section 3.1).
>
> DO indicates that you want the DNSSEC records.

DO was originally conceived as "intent to validate". It's not used
this way, though.

> UD indicates that you don't want the synthesised CNAME.
>
> There are cases where you don't want DO to imply UD.
> Think humans reading the output.

If UD is debugging-only, I don't think it's worth the effort.

--=20
Florian Weimer <fwe...@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

--
to unsubscribe send a message to namedroppe...@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Olafur Gudmundsson

unread,
Oct 2, 2008, 11:01:12 AM10/2/08
to

<DNSSEC-historian-hat=on>

At 04:38 02/10/2008, Florian Weimer wrote:
>* Mark Andrews:
>
> >> DO necessarily implies UD because the synthesized CNAME is not signed
> >> and thus not visible to a DNSSEC client (section 3.1).
> >
> > DO indicates that you want the DNSSEC records.
>
>DO was originally conceived as "intent to validate". It's not used
>this way, though.

DO was designed to address two issues:
- Protect DNSSEC-ignorant resolvers that failed when they saw
"unknown" RR types.
- Keep answers smaller for DNSSEC ignorant queriers.

When DO was proposed, someone observed "DNSSEC is only for consenting adults"


> > UD indicates that you don't want the synthesised CNAME.
> >
> > There are cases where you don't want DO to imply UD.
> > Think humans reading the output.
>
>If UD is debugging-only, I don't think it's worth the effort.

UD is an exit plan from "synthesize CNAME forever" as the old exit plan
"new version of EDNS" is not on the horizon.
There are actively maintained non-DNSSEC DNAME-aware resolvers
out there and these resolvers can send queries with DO=0 and UD=1.
One of the objections from for placing DNAME records
in the root zone was the "CNAME synthesis overhead".

Olafur

Edward Lewis

unread,
Oct 6, 2008, 12:25:06 PM10/6/08
to
At 10:38 +0200 10/2/08, Florian Weimer wrote:
>* Mark Andrews:
>
>>> DO necessarily implies UD because the synthesized CNAME is not signed
>>> and thus not visible to a DNSSEC client (section 3.1).
>>
>> DO indicates that you want the DNSSEC records.
>
>DO was originally conceived as "intent to validate". It's not used
>this way, though.

No, "DO indicates that you want the DNSSEC records" is accurate.

We (= the group that cobbled DNSSEC into BIND 8) stood up a name
server before the DO bit was invented. After not hearing from the
government agency that was funding the work on DNSSEC for a few days
we realized that something was amiss. It turned out that we were
responding to A record requests with responses enlarged by the DNSSEC
records and the funding agency's firewalls were rejecting all traffic
to port 53 over a certain size. This "eating our own dogfood"
experience led to the DO bit.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar

Never confuse activity with progress. Activity pays more.

bman...@vacation.karoshi.com

unread,
Oct 6, 2008, 12:43:17 PM10/6/08
to
On Mon, Oct 06, 2008 at 12:25:06PM -0400, Edward Lewis wrote:
> At 10:38 +0200 10/2/08, Florian Weimer wrote:
> >* Mark Andrews:
> >
> >>> DO necessarily implies UD because the synthesized CNAME is not signed
> >>> and thus not visible to a DNSSEC client (section 3.1).
> >>
> >> DO indicates that you want the DNSSEC records.
> >
> >DO was originally conceived as "intent to validate". It's not used
> >this way, though.
>
> No, "DO indicates that you want the DNSSEC records" is accurate.
>
> We (= the group that cobbled DNSSEC into BIND 8) stood up a name
> server before the DO bit was invented. After not hearing from the
> government agency that was funding the work on DNSSEC for a few days
> we realized that something was amiss. It turned out that we were
> responding to A record requests with responses enlarged by the DNSSEC
> records and the funding agency's firewalls were rejecting all traffic
> to port 53 over a certain size. This "eating our own dogfood"
> experience led to the DO bit.
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis +1-571-434-5468
> NeuStar


it was a fine way to reduce email traffic. :)

and shows the wisdom of actually "eating our own
dog food".

--bill

0 new messages