[dns-operations] Research Project: Identifying DNSSEC Validators

Vernon Schryver vjs at rhyolite.com
Thu Sep 6 19:54:05 UTC 2012

> From: Ralf Weber <Ralf.Weber at nominum.com>

> The protocol doesn't mandate a resolver to retry, ...

Which protocol is that?  I'm not disagreeing since the claim matches
my intuition, but only asking for an RFC number (or numbers) so
that I can understand the exegesis.

> The approach from Matthäus described earlier in the thread using
> javascript and two pics, one validating and one not seems cleaner
> to me and can deal with all the cases Olafur, myself and others had
> problems with.

Is that the scheme mentioned on

] Our test methodology is to load 1px images from two domain names, one
] correctly signed and the other one with a broken signature.

How is javascript involved?  That sounds like a pair of ordinary
<IMG> beacons.

If javascript is involved, do you figure that browsers with javascript
controlled manually or automatically (e.g. with NoScript) are
insignificant or that the resolvers of users that do such things
should not be counted?

I assume I'm odd, because I'm not eagar to put the invisible HREF
anchor on my web pages because of the extra DNS transactions imposed
on users.  I also have vague worries I can't articulate about privacy

My answer to putting a simple <IMG> beacon on my web pages would
be a flat "never."  There are too many technical and legal issues.
For example, what about privacy issues with the referer string?

I'd have trouble responding politely to a request that I add
javascript to my web pages.  I don't think I'm religiously opposed
to javascript, since I'm taking a break from fighting some javascript
bugs to write this.  It's just simple security and operational
prudence to never code that is not strictly necessary.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list