[Dnssec-deployment] not ANY (Re: CAT is signed )

Alain Patrick AINA aalain at trstech.net
Tue Jun 29 20:18:26 EDT 2010


On Tue, 29 Jun 2010 21:45:51 +0000, Paul Vixie wrote
> On Jun 29, 2010, at 5:39 AM, Stephane Bortzmeyer wrote:
> > More seriously, the fact that the typical user does not send ANY
> > queries is irrelevant. The problem is that one name server sends
> > replies which it cannot deliver. If the name server replied REFUSED for
> > ANY queries, I could have accepted it. But forcing the client to
> > timeout is quite rude.
> 
> then:
> 
> > From: Eric Osterweil <eoster at CS.UCLA.EDU>
> > Date: Tue, 29 Jun 2010 08:36:15 -0700
> > 
> > I am, actually, quite on board with raising a flag when there is a PMTU
> > problem.  However, I can't agree that ANY queries constitute a problem.
> 
> what we're seeing here is a failure to communicate. nobody here thinks
> that ANY is the problem being discussed. we can stop talking about ANY
> now, and say simply that a question was asked that caused an answer to
> be generated and transmitted that had no hope of leaving the responder's
> local network due to PMTU problems.
> 
> such servers are misconfigured. for a TLD server to be misconfigured in
> this way is irresponsible on ICANN's part, who should've tested this
> before adjusting the root zone to contain the respective NS RR. ICANN
> should also periodically retest, and should have the contractual right
> to warn privately, warn publically, and then remove after 24 hours any
> such NS RR, without reference to the national sovereignty of the CCTLD.



The topic of this thread  is just an example of situations we will see in the coming days. In the DNSSEC fever and 
the rush to sign zones, people will not always assess and test especially slaves readiness.
In this case we have PMTU  issues and TCP not supported.

--alain


More information about the Dnssec-deployment mailing list