IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Paul Wouters <paul@cypherpunks.ca> Fri, 11 May 2012 18:37 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1448121F8705 for <dane@ietfa.amsl.com>; Fri, 11 May 2012 11:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.574
X-Spam-Level:
X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVZBpsUmTOq4 for <dane@ietfa.amsl.com>; Fri, 11 May 2012 11:37:55 -0700 (PDT)
Received: from letoams.cypherpunks.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2707321F8495 for <dane@ietf.org>; Fri, 11 May 2012 11:37:54 -0700 (PDT)
Received: by letoams.cypherpunks.ca (Postfix, from userid 500) id 196BB853FE; Fri, 11 May 2012 14:37:52 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by letoams.cypherpunks.ca (Postfix) with ESMTP id 0553881948; Fri, 11 May 2012 14:37:52 -0400 (EDT)
Date: Fri, 11 May 2012 14:37:51 -0400 (EDT)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <FBDFBA02-D93F-4153-8AE5-CA0963C1AA2E@icsi.berkeley.edu>
Message-ID: <alpine.LFD.2.02.1205111425050.1347@bofh.nohats.ca>
References: <201205111646.q4BGkNcF008939@new.toad.com> <FBDFBA02-D93F-4153-8AE5-CA0963C1AA2E@icsi.berkeley.edu>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2012 18:37:56 -0000

On Fri, 11 May 2012, Nicholas Weaver wrote:

>> Can you provide some actual names of such devices, preferably with
>> links to people complaining about their badly written DNS proxies?
>> What is the practical effect of the limitations in their DNS proxies?
>> How widely deployed are they, and where?  Are these endpoint devices
>> or routers?  Has the mfr released updated firmware for them?  Etc.
>
> Its very ubiquitous, and the biggest problem is the CPE (Customer Premesis Equipment, aka the @#)(@*#)$ NAT!).
>
> www.icir.org/christian/publications/2011-satin-netalyzr.pdf

There is also:

www.icann.org/en/groups/ssac/documents/sac-035-en.pdf
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/DNSSEC/DNSSEC_Support_by_Home_Routers.pdf
http://ripe60.ripe.net/presentations/Dietrich-DNSSEC_Support_by_Home_Routers_in_Germany.pdf
https://www.iis.se/docs/Health-Status-DNS-and-DNSSEC-20120321.pdf

etc. etc.

There are a lot of failure modes. One important one used to be the
dnsmasq software shipped with many commercial vendors, though that
one has now been fixed, though no one installs firmware updates so
it takes years for these kind of brokenness to disappear.

The Atlas probe project at RIPE will hopefully be able to tell us a lot more
in the near future as well.

Regardless, to get back on the topic, there will be devices that can
do DNSSEC but that do not handle the Generic record format.

Paul

v2.8.7 | Report a Bug | By Email