Re: [dnsext] Practically secure DNS
Paul Wouters <paul@xelerance.com> Mon, 24 October 2011 13:45 UTC
Return-Path: <paul@xelerance.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBC421F8DF8 for <dnsext@ietfa.amsl.com>; Mon, 24 Oct 2011 06:45:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTZY2FyU8UEq for <dnsext@ietfa.amsl.com>; Mon, 24 Oct 2011 06:45:18 -0700 (PDT)
Received: from mx.xelerance.com (mx.xelerance.com [193.110.157.188]) by ietfa.amsl.com (Postfix) with ESMTP id 67E1F21F8DE4 for <dnsext@ietf.org>; Mon, 24 Oct 2011 06:45:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx.xelerance.com (Postfix) with ESMTP id 2C840528 for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:42 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xelerance.com; h= content-type:content-type:mime-version:user-agent:references :message-id:in-reply-to:subject:subject:from:from:date:date :received:received:received:received; s=smtp; t=1319463881; x= 1320068681; bh=BOtmAnvDy4zECvWtNB7ukAIIvQ3lS4cMNbhGg0zPMOA=; b=O aYj2VtyujxGTPxokFRqHGqlYgzMKlApK87qu+OfaPmWB2wd6ILAFAnxadl5VNu8x PXyZkR4EHnDQjztqKnKP1EaTSrUKlAUpXR8Z9d1O/3NJUQNU4MFo2bZC1dIEw+wT DX4DJ8FXKw9FN9tQtTkV9rz66cfjeYMu75La2Ffll8=
Received: from mx.xelerance.com ([127.0.0.1]) by localhost (mx.xelerance.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 0K6slfpZ9Fsc for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:41 -0400 (EDT)
Received: from mail.xelerance.com (mail.xelerance.com [193.110.157.189]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.xelerance.com (Postfix) with ESMTPS id 0E0696B for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:41 -0400 (EDT)
Received: by mail.xelerance.com (Postfix, from userid 1001) id 2373FB13; Mon, 24 Oct 2011 09:44:39 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by mail.xelerance.com (Postfix) with ESMTP id 1DFFB598 for <dnsext@ietf.org>; Mon, 24 Oct 2011 09:44:39 -0400 (EDT)
Date: Mon, 24 Oct 2011 09:44:39 -0400
From: Paul Wouters <paul@xelerance.com>
To: dnsext@ietf.org
In-Reply-To: <02C8B7BF-7C6F-4BC2-9A40-2EC087895F58@hopcount.ca>
Message-ID: <alpine.DEB.2.00.1110240940230.9077@mail.xelerance.com>
References: <20111009135505.GA85221@shinkuro.com> <20111009213431.4756314E0BDE@drugs.dv.isc.org> <CACU5sD=-pJUVKG1QmwBX9d-MZJp6_AYkXWDxh_CTAXO=x7+Juw@mail.gmail.com> <20111010051725.3A95214E5206@drugs.dv.isc.org> <CACU5sDnd49zbLxqLFOebFfm6UqJ7qZiQuCqY4DeEA4rHiia8GQ@mail.gmail.com> <20111010220027.F1E2614EB649@drugs.dv.isc.org> <4E9C2413.3030000@nlnetlabs.nl> <20111017134650.816981569E8F@drugs.dv.isc.org> <20111017140437.GA7743@shinkuro.com> <20111018014221.C0E871578C86@drugs.dv.isc.org> <20111018040429.GM7743@shinkuro.com> <20111018054252.1EF21157D5EB@drugs.dv.isc.org> <4E9D1FA2.5020608@necom830.hpcl.titech.ac.jp> <4E9D6BAC.7000100@gis.net> <4E9D8459.1030707@necom830.hpcl.titech.ac.jp> <sjm7h42z8p3.fsf@mocana.ihtfp.org> <4E9E140D.8040803@necom830.hpcl.titech.ac.jp> <20111019015410.5AA45158826F@drugs.dv.isc.org> <4E9EDDE3.3050302@necom830.hpcl.titech.ac.jp> <4EA5329D.8050607@necom830.hpcl.titech.ac.jp> <02C8B7BF-7C6F-4BC2-9A40-2EC087895F58@hopcount.ca>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: Re: [dnsext] Practically secure DNS
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2011 13:45:19 -0000
> On 2011-10-24, at 09:40, Masataka Ohta wrote: > > http://www.ietf.org/id/draft-ohta-practically-secure-dns-00.txt Isn't all of this already proposed in http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01 and implemented in unbound? It also totally ignores the fact that if all involved name servers are "secure" (definition unknown) but the traffic path is not, the "secure" client is still going to take rewritten replies. Eg this draft does not even handle the "starbucks wifi" scenario or any transparent DNS proxy scenario. Paul
- [dnsext] Suggested update to RFC 4035 section 4.9… Mark Andrews
- Re: [dnsext] Suggested update to RFC 4035 section… Mohan Parthasarathy
- Re: [dnsext] Suggested update to RFC 4035 section… Mark Andrews
- [dnsext] Why are we re-opening this topic? Was: S… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… David Conrad
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… W.C.A. Wijngaards
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… W.C.A. Wijngaards
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Mohan Parthasarathy
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- [dnsext] Other views request from chair (was : Wh… Andrew Sullivan
- Re: [dnsext] Other views request from chair (was … Brian Dickson
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Danny Mayer
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Derek Atkins
- Re: [dnsext] Other views request from chair (was … Edward Lewis
- Re: [dnsext] Why are we re-opening this topic? Wa… Andrew Sullivan
- Re: [dnsext] Why are we re-opening this topic? Wa… Brian Dickson
- Re: [dnsext] Other views request from chair (was … Michael StJohns
- Re: [dnsext] Other views request from chair (was … Nicholas Weaver
- Re: [dnsext] Other views request from chair (was … Michael StJohns
- Re: [dnsext] Other views request from chair (was … Brian Dickson
- Re: [dnsext] Other views request from chair (was … Nicholas Weaver
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Why are we re-opening this topic? Wa… Mark Andrews
- Re: [dnsext] Other views request from chair (was … Rob Austein
- Re: [dnsext] Other views request from chair (was … Mark Andrews
- Re: [dnsext] Why are we re-opening this topic? Wa… Masataka Ohta
- Re: [dnsext] Other views request from chair (was … Mohan Parthasarathy
- Re: [dnsext] Other views request from chair (was … Edward Lewis
- Re: [dnsext] Practically secure DNS Joe Abley
- [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Paul Wouters
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Paul Wouters
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Paul Wouters
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Joe Abley
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Joe Abley
- Re: [dnsext] Practically secure DNS Nicholas Weaver
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Masataka Ohta
- Re: [dnsext] Practically secure DNS Brian Dickson
- Re: [dnsext] Practically secure DNS Masataka Ohta