[dns-operations] Research Project: Identifying DNSSEC Validators

Matthäus Wander matthaeus.wander at uni-due.de
Thu Sep 6 20:57:00 UTC 2012


Am 06.09.2012 21:54, schrieb Vernon Schryver:
>> From: Ralf Weber <Ralf.Weber at nominum.com>
>> The protocol doesn't mandate a resolver to retry, ...
> Which protocol is that?  I'm not disagreeing since the claim matches
> my intuition, but only asking for an RFC number (or numbers) so
> that I can understand the exegesis.

RFC 4035 Section 5 explains how to validate signatures and what to do it
that fails (5.5). It says nothing about doing or not doing retries.
BIND and Unbound retry a couple of times and scatter the queries among
all authoritative NS.

> How is javascript involved?  That sounds like a pair of ordinary
> <IMG> beacons.
> If javascript is involved, do you figure that browsers with javascript
> controlled manually or automatically (e.g. with NoScript) are
> insignificant or that the resolvers of users that do such things
> should not be counted?

JavaScript is only needed if you want to show the result to the user.
For statistics the <img> tags suffice, no JS involved.

> I assume I'm odd, because I'm not eagar to put the invisible HREF
> anchor on my web pages because of the extra DNS transactions imposed
> on users.  I also have vague worries I can't articulate about privacy
> concerns.
> My answer to putting a simple <IMG> beacon on my web pages would
> be a flat "never."  There are too many technical and legal issues.
> For example, what about privacy issues with the referer string?
> I'd have trouble responding politely to a request that I add
> javascript to my web pages.  I don't think I'm religiously opposed
> to javascript, since I'm taking a break from fighting some javascript
> bugs to write this.  It's just simple security and operational
> prudence to never code that is not strictly necessary.

Can't argue with that. If privacy is an issue, you won't become friends
with foreign HTTP resources.

Kind regards,

Universität Duisburg-Essen
Fachgebiet Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg
Tel: +49 203 379 2767

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120906/8089f218/attachment.bin>

More information about the dns-operations mailing list