[dns-operations] Research Project: Identifying DNSSEC Validators
matthaeus.wander at uni-due.de
Thu Sep 6 20:57:00 UTC 2012
Am 06.09.2012 21:54, schrieb Vernon Schryver:
>> From: Ralf Weber <Ralf.Weber at nominum.com>
>> The protocol doesn't mandate a resolver to retry, ...
> Which protocol is that? I'm not disagreeing since the claim matches
> my intuition, but only asking for an RFC number (or numbers) so
> that I can understand the exegesis.
RFC 4035 Section 5 explains how to validate signatures and what to do it
that fails (5.5). It says nothing about doing or not doing retries.
BIND and Unbound retry a couple of times and scatter the queries among
all authoritative NS.
> <IMG> beacons.
> controlled manually or automatically (e.g. with NoScript) are
> insignificant or that the resolvers of users that do such things
> should not be counted?
For statistics the <img> tags suffice, no JS involved.
> I assume I'm odd, because I'm not eagar to put the invisible HREF
> anchor on my web pages because of the extra DNS transactions imposed
> on users. I also have vague worries I can't articulate about privacy
> My answer to putting a simple <IMG> beacon on my web pages would
> be a flat "never." There are too many technical and legal issues.
> For example, what about privacy issues with the referer string?
> I'd have trouble responding politely to a request that I add
> bugs to write this. It's just simple security and operational
> prudence to never code that is not strictly necessary.
Can't argue with that. If privacy is an issue, you won't become friends
with foreign HTTP resources.
Fachgebiet Verteilte Systeme
Bismarckstr. 90 / BC 316
Tel: +49 203 379 2767
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
More information about the dns-operations