swedish dns zone enumerator

• Previous message (by thread): swedish dns zone enumerator
• Next message (by thread): Congrats Board Members! Exploring N89 w/ Kentik’s Justin Ryburn + Playlist on YouTube
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 2 Nov 2023, at 20:25, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 
> On Thu, Nov 02, 2023 at 04:09:24PM +1100,
> Mark Andrews <marka at isc.org> wrote 
> a message of 90 lines which said:
> 
>> I also see QNAME minimisation in action as the QTYPE is NS.  This
>> could just be a open recursive servers using QNAME minimisation.
>> With QNAME minimisation working correctly all parent zones should
>> see is NS queries with the occasional DNSKEY and DS query.  Both
>> BIND and Knot use NS queries for QNAME minimisation.
> 
> I disagree. NS queries were used in the first RFC about QNAME
> minimisation (which was experimental) but the current one (which is on
> the standards track) now recommends A or AAAA queries
> <https://www.rfc-editor.org/info/rfc9156>, specially section 2.1.

The QTYPE selection is always a matter of trade offs.  NS is still
perfectly fine and it is the ONLY type that actually works in a number
of scenarios.  Additionally the number of servers that don’t respond
to NS queries is remarkably small and decreasing.  More of an issue
is garbage NS RRsets below the zone cut.  A queries work well when there
is a zone cut at each label.  They don’t work well when there isn’t
a zone cut.  You get back nothing to say that there isn’t a zone cut
which leaves you needing to do the discovery on the next query to the
zone, and the next query to the zone, etc.  This leads to complaints
that you aren’t caching A (or whatever type you chose) queries. 

>> Other query types and/or prefixes do not work as they have
>> undesirable side effects.
> 
> Rather the contrary, some broken firewalls in front of authoritative
> name servers were crashing when using NS queries. Hence the choice of
> address queries. (Also, it improves privacy since it makes more
> difficult to see you are doing QNAME minimisation.)

Hiding that you are doing QNAME minimisation is a non issue. As for
firewalls crashing.  The more they crash the sooner they get fixed,
it’s been years now.  

>> I would not like anyone to take seeing mostly NS queries as any
>> evidence of bad practice.
> 
> We agree here.
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

• Previous message (by thread): swedish dns zone enumerator
• Next message (by thread): Congrats Board Members! Exploring N89 w/ Kentik’s Justin Ryburn + Playlist on YouTube
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]