[dhcwg] Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt

Rob Austein <sra+namedroppers@hactrn.net> Sat, 22 February 2003 12:11 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA09488 for <dhcwg-archive@odin.ietf.org>; Sat, 22 Feb 2003 07:11:18 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h1MCIpE12134 for dhcwg-archive@odin.ietf.org; Sat, 22 Feb 2003 07:18:51 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1MCIop12131 for <dhcwg-web-archive@optimus.ietf.org>; Sat, 22 Feb 2003 07:18:50 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA09481 for <dhcwg-web-archive@ietf.org>; Sat, 22 Feb 2003 07:10:47 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1MCGvp12084; Sat, 22 Feb 2003 07:16:57 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1M1hTp04785 for <dhcwg@optimus.ietf.org>; Fri, 21 Feb 2003 20:43:29 -0500
Received: from thrintun.hactrn.net (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA20728 for <dhcwg@ietf.org>; Fri, 21 Feb 2003 20:35:38 -0500 (EST)
Received: from thrintun.hactrn.net (localhost [::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 1D82D18EC; Fri, 21 Feb 2003 20:39:30 -0500 (EST)
Date: Fri, 21 Feb 2003 20:39:30 -0500
From: Rob Austein <sra+namedroppers@hactrn.net>
To: Ralph Droms <rdroms@cisco.com>
Cc: dhcwg@ietf.org, ipng@sunroof.eng.sun.com, namedroppers@ops.ietf.org
In-Reply-To: <4.3.2.7.2.20030220143854.03e69358@funnel.cisco.com>
User-Agent: Wanderlust/2.8.1 (Something) Emacs/20.7 Mule/4.0 (HANANOEN)
MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20030222013930.1D82D18EC@thrintun.hactrn.net>
Subject: [dhcwg] Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

In response to the main question: I've read the draft, the option
looks looks reasonable to me (subject to the discussion that has
already taken place during this last call, I'm not disagreeing with
any of that), and I think it'd be useful for this draft to advance.

The rest of this message is on one specific point:

At Thu, 20 Feb 2003 14:55:11 -0500, Ralph Droms wrote:
> At 08:27 PM 2/10/2003 +0100, Peter Koch wrote:
> 
> >Apart from the sad fact that DNSSEC isn't yet deployed I don't see why it
> >wouldn't be able to detect spoofing. If, however, you want to say that
> >using domain names in the search list you don't control is a dangerous
> >thing, that could be emphazised by a reference to RFC 1535.
> 
> The idea here (note that I'm not a DNSSEC expert, either) is that
> a search list that the host doesn't control might still pass DNSSEC
> authentication while yielding unexpected results.
> 
> I would be happy to hear that DNSSEC can prevent the problem and would
> be willing to follow your suggestion and replace the reference to
> DNSSEC with a more general reference to untrusted search lists.

DNSSEC could let you figure out whether the data you got back was
signed by an entity which you trust.  The difficulty with search
paths, is that you're also trusting the search path to tell you what
question you should be asking.  So DNSSEC could let you figure out
whether the random question that your search path just told you to ask
was answered with data signed by an entity which you trust, but it's
not going to help you figure out whether that was the right question.
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg