Re: [dnsext] caches, validating resolvers, CD and DO

Mark Andrews <marka@isc.org> Wed, 30 March 2011 13:46 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CDAF03A6B59 for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 06:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRvasVA+Csrx for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 06:46:26 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id E9A963A6B57 for <dnsext@ietf.org>; Wed, 30 Mar 2011 06:46:25 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 987AAC9432; Wed, 30 Mar 2011 13:47:57 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:df8:0:96:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 642FC216C22; Wed, 30 Mar 2011 13:47:57 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 7FEDEDAF316; Thu, 31 Mar 2011 00:47:55 +1100 (EST)
To: "Marc Lampo" <marc.lampo@eurid.eu>
From: Mark Andrews <marka@isc.org>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org> <0CAE569785C163CFE87B957E@nimrod.local><46410.1301468733@nsa.vix.com> <20110330081029.867FDDAD484@drugs.dv.isc.org> <alpine.LSU.2.00.1103301218140.5244@hermes-1.csi.cam.ac.uk><005301cbeedc$e9653150$bc2f93f0$@lampo@eurid.eu>
In-reply-to: Your message of "Wed, 30 Mar 2011 15:12:16 +0200." <005301cbeedc$e9653150$bc2f93f0$@lampo@eurid.eu>
Date: Thu, 31 Mar 2011 00:47:55 +1100
Message-Id: <20110330134755.7FEDEDAF316@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 13:46:26 -0000

In message <005301cbeedc$e9653150$bc2f93f0$@lampo@eurid.eu>, "Marc Lampo" write
s:
> 
> Mark Andrews <marka@isc.org> wrote:
> >
> > A validating resolver with direct access to the athoritative servers
> > can work around a number of operational errors by being able to
> > retry the query with different servers.
> 
> >From the security point of view, letting "resolvers" (on end-user PC's)
> have access to authoritative servers is not a good idea.
> End-users should forward there queries to (internal ?) forwarding or
> caching name servers (only).
> Only then one can implement security on DNS traffic flows.
> Otherwise the firewall rule is : "any(internal)" to "any(external)" for
> port 53 : allow
> Which I'd disrecommend ... sorry.
> 
> Marc Lampo
 
Please go re-read the proposal.  You have not understood it.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org