> On Feb 19, 2025, at 8:00 PM, Ben Schwartz <[email protected]> > wrote: > > Hi DNSOP, > > John Todd, Puneet Sood, and myself have just posted a new draft [1] with a > very simple premise: if you're sending queries to a resolver just to see if > you get a response, query "probe.resolver.arpa". This name is (proposed to > be) guaranteed NXDOMAIN, and the purpose of the query is unambiguous to > someone inspecting the resolver logs. > > This is an extremely straightforward proposal, but there are a few questions: > > * Is this a Special Use Domain Name (as the -00 draft claims)? > * Should this draft go to DNSOP or ADD? > * Should we extend this concept to authoritative servers? > * Name bikeshed. > > We welcome your input. > > --Ben Schwartz > > [1] https://datatracker.ietf.org/doc/draft-sst-dnsop-probe-name/ > > P.S. We wrote this before some recent discussion about names guaranteed not > to exist, which may be evidence that this could be useful.
Hi Ben, A couple of comments on the document text: > risk of implementation fingerprinting due to the distinctive QTYPE. I think you mean QNAME here? > 4) Are developers of caching domain name servers expected to make > their implementations recognize these names as special and treat them > differently? If so, how? > > No. This name is subject to ordinary caching logic. This was unexpected, given that RFC 9462’s answer to SUDN question 4 was “yes” for the parent domain resolver.arpa. (Reading section 8.2 of RFC 9462 I feel like there is some ambiguity whether it is talking about resolver.arpa or _dns.resolver.arpa) DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
