[dns-operations] Research Project: Identifying DNSSEC Validators
Matthäus Wander
matthaeus.wander at uni-due.de
Thu Sep 6 20:57:00 UTC 2012
Hi,
Am 06.09.2012 21:54, schrieb Vernon Schryver:
>> From: Ralf Weber <Ralf.Weber at nominum.com>
>
>> The protocol doesn't mandate a resolver to retry, ...
>
> Which protocol is that? I'm not disagreeing since the claim matches
> my intuition, but only asking for an RFC number (or numbers) so
> that I can understand the exegesis.
RFC 4035 Section 5 explains how to validate signatures and what to do it
that fails (5.5). It says nothing about doing or not doing retries.
BIND and Unbound retry a couple of times and scatter the queries among
all authoritative NS.
> How is javascript involved? That sounds like a pair of ordinary
> <IMG> beacons.
>
> If javascript is involved, do you figure that browsers with javascript
> controlled manually or automatically (e.g. with NoScript) are
> insignificant or that the resolvers of users that do such things
> should not be counted?
JavaScript is only needed if you want to show the result to the user.
For statistics the <img> tags suffice, no JS involved.
> I assume I'm odd, because I'm not eagar to put the invisible HREF
> anchor on my web pages because of the extra DNS transactions imposed
> on users. I also have vague worries I can't articulate about privacy
> concerns.
>
> My answer to putting a simple <IMG> beacon on my web pages would
> be a flat "never." There are too many technical and legal issues.
> For example, what about privacy issues with the referer string?
>
> I'd have trouble responding politely to a request that I add
> javascript to my web pages. I don't think I'm religiously opposed
> to javascript, since I'm taking a break from fighting some javascript
> bugs to write this. It's just simple security and operational
> prudence to never code that is not strictly necessary.
Can't argue with that. If privacy is an issue, you won't become friends
with foreign HTTP resources.
Kind regards,
Matt
--
Universität Duisburg-Essen
Fachgebiet Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg
Tel: +49 203 379 2767
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120906/8089f218/attachment.bin>
More information about the dns-operations
mailing list