Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)
"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Mon, 25 October 2010 17:41 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5A813A68A7; Mon, 25 Oct 2010 10:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.963
X-Spam-Level:
X-Spam-Status: No, score=-0.963 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Qg5Xm9BVq-x; Mon, 25 Oct 2010 10:41:43 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4499B3A686D; Mon, 25 Oct 2010 10:41:43 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1PAR10-000L4B-8g for namedroppers-data0@psg.com; Mon, 25 Oct 2010 17:39:22 +0000
Received: from elasmtp-mealy.atl.sa.earthlink.net ([209.86.89.69]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <jwkckid1@ix.netcom.com>) id 1PAR0w-000L3k-Rg for namedroppers@ops.ietf.org; Mon, 25 Oct 2010 17:39:19 +0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=QbfMxV8MGAeIq8W04PkUbjlisldWSuxCDzq30Hk6fk4/J39aVfwGA5D+e0BvFw57; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Transfer-Encoding:X-Mailer:Content-Type:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.30] (helo=mswamui-chipeau.atl.sa.earthlink.net) by elasmtp-mealy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1PAR0t-0005CU-T9; Mon, 25 Oct 2010 13:39:15 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Mon, 25 Oct 2010 13:39:15 -0400
Message-ID: <17658882.1288028355836.JavaMail.root@mswamui-chipeau.atl.sa.earthlink.net>
Date: Mon, 25 Oct 2010 12:39:15 -0500
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: Phillip Hallam-Baker <hallam@gmail.com>, Paul Vixie <vixie@isc.org>
Subject: Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)
Cc: namedroppers@ops.ietf.org
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Mailer: EarthLink Zoo Mail 1.0
Content-Type: text/html; charset="UTF-8"
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e5196068840d38d1721defed6bddaf18ae44cd293350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.30
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
-----Original Message-----
From: Phillip Hallam-Baker
Sent: Oct 24, 2010 5:25 PM
To: Paul Vixie
Cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] need new flag bit in EDNS, "do me no favours" (DMNF)
I think that the probability of this being implemented or respected on either end is low.
Applications will set the bit without asking the user and that will give the DNS providers all the justification they need to ignore it.I also think that the range of policy options needs to be richer than a single bit. Many people are happy to accept advertising if they are getting a real benefit in return. For example, having malware and phishing sites filtered out. The problem with ISP interception is that the end user does not get the choice.I agree fully with these thoughts.I think that what we need to do is to abandon the idea that applications take DNS service from the nearest DNS resolver. It is a trusted role regardless of whether DNSSEC is in use or not.Also very much agreed here.The only sure fire way to avoid these issues is to apply guerilla tactics. The platform needs to identify the service it is going to connect to in a way that the user can easily understand - i.e. a DNS name. So to connect through the Comodo Group Inc. curated DNS, you would type in 'http://comodo.com" target="_blank" rel="nofollow">comodo.com' as your DNS resolver. Or for Google it would be http://google.com" target="_blank" rel="nofollow">google.com.There might even be different resolver policies on offer. For example there might be http://scada.comodo.com" target="_blank" rel="nofollow">scada.comodo.com on offer for the most restrictive set of resolution controls and use of that service might have a subscription fee. That is not a service many people would want to subscribe to at home but might make a lot of sense for connecting critical infrastructure control systems to exactly the set of Internet resources that they need to contact and no more.In DPLS I propose a mechanism that allows DNS resolvers to advertise a secure means of connecting via UDP. The architectural principles can be extended so that the client attempts to connect by UDP if available but will fall back to using SSL on the HTTPS port if that is blocked.
On Sun, Oct 24, 2010 at 1:49 PM, Paul Vixie <vixie@isc.org> wrote:
> Date: Sun, 24 Oct 2010 10:34:05 -0700
> From: Colm MacCárthaigh <colm@allcosts.net>
>if it's a single bit that specifies optional behaviour that some people want,
> Sounds like an ok idea, though it's hard to see operators honouring the bit
> - but to meet your own burden of relevance; why should the DNS protocol be
> complicated with an EDNS change to facilitate the users of shared-resolvers
> when those users could simply run their own?
and it's unlikely to create market pressure on people who have no need for it
on their own but who would have to implement it anyway (as i think is true of
the google proposal for adding stub IP to the recursive/authority q-tuple) and
it's not a layering change (dare i say "violation") as is definitely true of
the google stub-IP proposal, then it's effectively an FYI rather than a STD.
--
Website: http://hallambaker.com/" target="_blank" rel="nofollow">http://hallambaker.com/Regards,Regards,
Jeffrey A. Williams
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com
Phone: 214-244-4827
- [dnsext] need new flag bit in EDNS, "do me no fav… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Colm MacCárthaigh
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Wouters
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Phillip Hallam-Baker
- Re: [dnsext] need new flag bit in EDNS, "do me no… Roy Arends
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… Roy Arends
- Re: [dnsext] need new flag bit in EDNS, "do me no… Brian Dickson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Mans Nilsson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- [dnsext] stub validation Paul Vixie
- Re: [dnsext] stub validation Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Brian Dickson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Phillip Hallam-Baker
- Re: [dnsext] need new flag bit in EDNS, "do me no… bmanning
- Re: [dnsext] stub validation David Conrad
- Re: [dnsext] stub validation Phillip Hallam-Baker
- Re: [dnsext] stub validation Masataka Ohta
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jim Reid
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… David Conrad
- [dnsext] Re: need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Wouters
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jeffrey A. Williams
- Re: [dnsext] need new flag bit in EDNS, "do me no… Alex Bligh
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Mark Andrews
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Colm MacCárthaigh
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Brian Dickson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Phillip Hallam-Baker
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Alex Bligh
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Alex Bligh
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jim Reid
- Re: [dnsext] need new flag bit in EDNS, "do me no… Florian Weimer
- Re: [dnsext] need new flag bit in EDNS, "do me no… Florian Weimer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Roosenraad, Chris
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Wouters
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Nicholas Weaver
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Andreas Gustafsson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Wouters
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Nicholas Weaver
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… David Conrad
- [dnsext] Re: need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Ulevitch
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Florian Weimer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Andreas Gustafsson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams