Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)
"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Mon, 25 October 2010 20:53 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 552963A68EB; Mon, 25 Oct 2010 13:53:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.742
X-Spam-Level:
X-Spam-Status: No, score=-1.742 tagged_above=-999 required=5 tests=[AWL=0.857, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vpckGfdKyAp; Mon, 25 Oct 2010 13:53:46 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C006D3A68F2; Mon, 25 Oct 2010 13:53:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1PAU0H-000Chu-E6 for namedroppers-data0@psg.com; Mon, 25 Oct 2010 20:50:49 +0000
Received: from elasmtp-kukur.atl.sa.earthlink.net ([209.86.89.65]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <jwkckid1@ix.netcom.com>) id 1PAU0D-000ChV-Gj for namedroppers@ops.ietf.org; Mon, 25 Oct 2010 20:50:45 +0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=QXx5r+qCJD8BBeLpyGNB4uWdDPftNgWHm7Fu+LINttJJ32ggKdbC2lLt243FTxcB; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.24] (helo=mswamui-andean.atl.sa.earthlink.net) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1PAU0A-0005dP-Ev; Mon, 25 Oct 2010 16:50:42 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Mon, 25 Oct 2010 16:50:41 -0400
Message-ID: <19527446.1288039842458.JavaMail.root@mswamui-andean.atl.sa.earthlink.net>
Date: Mon, 25 Oct 2010 15:50:42 -0500
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: David Conrad <drc@virtualized.org>, Paul Wouters <paul@xelerance.com>
Subject: Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)
Cc: "namedroppers@ops.ietf.org WG" <namedroppers@ops.ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606885580625a8bbd38a504a0ae1686a69720350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.24
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
David and all, -----Original Message----- >From: David Conrad <drc@virtualized.org> >Sent: Oct 25, 2010 3:32 PM >To: Paul Wouters <paul@xelerance.com> >Cc: "namedroppers@ops.ietf.org WG" <namedroppers@ops.ietf.org> >Subject: Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF) > >Paul, > >On Oct 25, 2010, at 10:05 AM, Paul Wouters wrote: >> unbound already supports a changing forwarder statement via unbound-control, and > >> even deals with the forwarder changing between DNSSEC (in)capable forwarders. And >> it also detects stripped DNSSEC data. > >Wouldn't this mean the application has to know that it is behind a forwarder? If it isn't (or it can't figure out if it is), it'll have to implement the full iterative resolver goop. As such, I'd think the safe approach for application developers would be to link in the full iterative resolver library into the application. > >Regards, >-drc > > What you suggest may/may not be a safe approach but not very efficient. Surely we can do better than this. Seems a sloppy and wasteful approach to me. Seems also to me that there would be a number of new attack a approaches to your suggestion as well. Just of the top of my head, my wee brain can conjure up some pretty simple new ones with this, your suggestion. However they may be easily detectable and therefore soon circumventable or made impotant and therefore not seriously considered by would be attackers. None the less it is more important IMO that we don't ask for more trouble, don't you think? Regards, Jeffrey A. Williams "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com Phone: 214-244-4827
- [dnsext] need new flag bit in EDNS, "do me no fav… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Colm MacCárthaigh
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Wouters
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Phillip Hallam-Baker
- Re: [dnsext] need new flag bit in EDNS, "do me no… Roy Arends
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… Roy Arends
- Re: [dnsext] need new flag bit in EDNS, "do me no… Brian Dickson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Mans Nilsson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- [dnsext] stub validation Paul Vixie
- Re: [dnsext] stub validation Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Brian Dickson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Phillip Hallam-Baker
- Re: [dnsext] need new flag bit in EDNS, "do me no… bmanning
- Re: [dnsext] stub validation David Conrad
- Re: [dnsext] stub validation Phillip Hallam-Baker
- Re: [dnsext] stub validation Masataka Ohta
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jim Reid
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… David Conrad
- [dnsext] Re: need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Wouters
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jeffrey A. Williams
- Re: [dnsext] need new flag bit in EDNS, "do me no… Alex Bligh
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Mark Andrews
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Colm MacCárthaigh
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Brian Dickson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Phillip Hallam-Baker
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Alex Bligh
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Alex Bligh
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jim Reid
- Re: [dnsext] need new flag bit in EDNS, "do me no… Florian Weimer
- Re: [dnsext] need new flag bit in EDNS, "do me no… Florian Weimer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Roosenraad, Chris
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Wouters
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Nicholas Weaver
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Andreas Gustafsson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Wouters
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Nicholas Weaver
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… David Conrad
- [dnsext] Re: need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Ulevitch
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Florian Weimer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Andreas Gustafsson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams