IETF Logo Mail Archive

Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)

"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Mon, 25 October 2010 20:53 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 552963A68EB; Mon, 25 Oct 2010 13:53:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.742
X-Spam-Level:
X-Spam-Status: No, score=-1.742 tagged_above=-999 required=5 tests=[AWL=0.857, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vpckGfdKyAp; Mon, 25 Oct 2010 13:53:46 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C006D3A68F2; Mon, 25 Oct 2010 13:53:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1PAU0H-000Chu-E6 for namedroppers-data0@psg.com; Mon, 25 Oct 2010 20:50:49 +0000
Received: from elasmtp-kukur.atl.sa.earthlink.net ([209.86.89.65]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <jwkckid1@ix.netcom.com>) id 1PAU0D-000ChV-Gj for namedroppers@ops.ietf.org; Mon, 25 Oct 2010 20:50:45 +0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=QXx5r+qCJD8BBeLpyGNB4uWdDPftNgWHm7Fu+LINttJJ32ggKdbC2lLt243FTxcB; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.24] (helo=mswamui-andean.atl.sa.earthlink.net) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1PAU0A-0005dP-Ev; Mon, 25 Oct 2010 16:50:42 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Mon, 25 Oct 2010 16:50:41 -0400
Message-ID: <19527446.1288039842458.JavaMail.root@mswamui-andean.atl.sa.earthlink.net>
Date: Mon, 25 Oct 2010 15:50:42 -0500
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: David Conrad <drc@virtualized.org>, Paul Wouters <paul@xelerance.com>
Subject: Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)
Cc: "namedroppers@ops.ietf.org WG" <namedroppers@ops.ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606885580625a8bbd38a504a0ae1686a69720350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.24
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

David and all,


-----Original Message-----
>From: David Conrad <drc@virtualized.org>
>Sent: Oct 25, 2010 3:32 PM
>To: Paul Wouters <paul@xelerance.com>
>Cc: "namedroppers@ops.ietf.org WG" <namedroppers@ops.ietf.org>
>Subject: Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)
>
>Paul,
>
>On Oct 25, 2010, at 10:05 AM, Paul Wouters wrote:
>> unbound already supports a changing forwarder statement via unbound-control, and
>
>> even deals with the forwarder changing between DNSSEC (in)capable forwarders. And
>> it also detects stripped DNSSEC data.
>
>Wouldn't this mean the application has to know that it is behind a forwarder?  If it isn't (or it can't figure out if it is), it'll have to implement the full iterative resolver goop.  As such, I'd think the safe approach for application developers would be to link in the full iterative resolver library into the application.  
>
>Regards,
>-drc
>
>
  What you suggest may/may not be a safe approach but not very efficient.  
Surely we can do better than this.  Seems a sloppy and wasteful approach 
to me.  Seems also to me that there would be a number of new attack a 
approaches to your suggestion as well.  Just of the top of my head, my wee 
brain can conjure up some pretty simple new ones with this, your suggestion.
However they may be easily detectable and therefore soon circumventable or
made impotant and therefore not seriously considered by would be attackers.
None the less it is more important IMO that we don't ask for more trouble,
don't you think?  

Regards,
Jeffrey A. Williams
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com
Phone: 214-244-4827

v2.23.0 | Report a Bug | By Email