On Mon, 7 Jul 2025, Willem Toorop wrote:
This draft came from the Poisonlicious hackathon project at the
Netnod/DNS-OARC/RIPE-NCC DNS Hackathon that was held this spring in Stockholm.
The -00 version was
posted by Stephane just after the hackathon, and this new version has (some) of
the feedback on that processed.
I have been recruiting among the Open Source DNS Resolver vendors for
co-authors, to warrant unanimity at least among some of the possible
implementers, and I am
very happy to announce that I managed to persuade Ondřej Surý (ISC) and Otto
Moerbeek (PowerDNS) to join.
We have been granted 10 minute agenda time in the 11:30 - 13:00 (CEST) DNSOP
slot, and I am very much looking forward to present and discuss this idea then
there.
Great :)
But :P
The resolver must send only data that it is sure of (for instance
by DNSSEC validation or because it came with the AA bit from
the queried server). Since all of the network of resolvers are
in the same organizational domain, they MUST agree on the same
policy for this assessment.
Please also define a mode that does not have authentication, and that
only shares DNSSEC validatable data. This will allow for a pool.ntp.org
style cooperation of untrusted partners.
The peer is not supposed to do DNSSEC validation (there is not
always all the necessary data in the message).
Please allow for a mode that only sends complete RRsets with RRSIG, does
use validation and maybe even support RFC 7901 ?
The privacy considerations could mention adding some fuzz to TTL to try
and combat some fingerprinting of data/users.
Paul
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
