IETF Logo Mail Archive

Re: [dnsext] URI RRTYPE review - Comments period end Aug 15th

"Patrik Faltstrom (pfaltstr)" <pfaltstr@cisco.com> Wed, 13 October 2010 14:55 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 512DD3A6956; Wed, 13 Oct 2010 07:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.288
X-Spam-Level:
X-Spam-Status: No, score=-8.288 tagged_above=-999 required=5 tests=[AWL=0.243, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, RCVD_NUMERIC_HELO=2.067]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0axXqo5vw6cs; Wed, 13 Oct 2010 07:55:46 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E9DBC3A68FD; Wed, 13 Oct 2010 07:55:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1P62fv-000JUG-P0 for namedroppers-data0@psg.com; Wed, 13 Oct 2010 14:51:27 +0000
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.72 (FreeBSD)) (envelope-from <pfaltstr@cisco.com>) id 1P62fs-000JTh-6L for namedroppers@ops.ietf.org; Wed, 13 Oct 2010 14:51:24 +0000
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao4HAG9ktUxAaMHG/2dsb2JhbACDH5A6hWcBhzdUAnGfSoobklKBIoMydASKQYMJgmA
X-IronPort-AV: E=Sophos; i="4.57,325,1283731200"; d="scan'208,217"; a="268825159"
Received: from syd-core-1.cisco.com ([64.104.193.198]) by sj-iport-5.cisco.com with ESMTP; 13 Oct 2010 14:51:21 +0000
Received: from xbh-ams-101.cisco.com (xbh-ams-101.cisco.com [144.254.74.71]) by syd-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o9DEpGRB009149; Wed, 13 Oct 2010 14:51:20 GMT
Received: from xmb-ams-106.cisco.com ([144.254.74.81]) by xbh-ams-101.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 13 Oct 2010 16:51:12 +0200
Received: from 72.163.62.205 ([72.163.62.205]) by XMB-AMS-106.cisco.com ([144.254.74.81]) with Microsoft Exchange Server HTTP-DAV ; Wed, 13 Oct 2010 14:51:11 +0000
Subject: Re: [dnsext] URI RRTYPE review - Comments period end Aug 15th
References: <20100725184119.GA42253@registro.br> <AANLkTikLbJwMLjzgyhFZ+fcc63-6wo0ccBb_CRgL2hw2@mail.gmail.com> <8E0002DF-09C9-46CD-AB1B-6DE946E3D0DC@cisco.com> <AANLkTinuNGYU_eoh5-Y=XJwmeo6psU_vPYt1vFAjq+Kk@mail.gmail.com> <C9DE16B6-3740-4670-955A-60448A14A7E8@cisco.com> <AANLkTi=W_6vP2wOfE0eiBNWviRXqHnKFuqNnOtt2Vwen@mail.gmail.com> <0058A35A-86AB-4BC8-A9C0-2DD92CA04265@cisco.com> <AANLkTimnZDATPy5Angw8o6rFQrmiQhfyvBNCjfTwV1KO@mail.gmail.com>
Content-Transfer-Encoding: 7bit
From: "Patrik Faltstrom (pfaltstr)" <pfaltstr@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-21--563341126"; charset="UTF-8"
Thread-Topic: [dnsext] URI RRTYPE review - Comments period end Aug 15th
Thread-Index: Actq5hNvvebl5SxhTriYVjE7rX1Nvw==
In-Reply-To: <AANLkTimnZDATPy5Angw8o6rFQrmiQhfyvBNCjfTwV1KO@mail.gmail.com>
Message-ID: <B65EFD00-6580-4379-B586-F08F4500B381@cisco.com>
Date: Wed, 13 Oct 2010 16:51:43 +0200
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Ted Hardie <ted.ietf@gmail.com>, Frederico A C Neves <fneves@registro.br>, namedroppers@ops.ietf.org
MIME-Version: 1.0 (iPhone Mail 8B117)
X-OriginalArrivalTime: 13 Oct 2010 14:51:12.0210 (UTC) FILETIME=[14147B20:01CB6AE6]
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

On 13 okt 2010, at 15:13, "Phillip Hallam-Baker" <hallam@gmail.com> wrote:

> Unfortunately, NAPTR does not have the ability to specify security policy information so the deployment incentives don't work the same.

NAPTR only exists within a DDDS context, so that is up to your definition of the algorithm that uses the NAPTR.

So I do not understand the above. Please expand.

   Patrik

> SRV has existed for a decade now, yet we still cant get applications to bother to check it for no-brainer applications such as imap.
> 
> 
> If people care about security (an unproven hypothesis unfortunately) and are thus willing to check a DNSSEC signature chain, then I have to hope that they are willing to do an extra lookup to actually give that DNSSEC lookup a point.
> 
> The biggest security hole in the Internet at the moment is the fact that security is an optional afterthought. So sites have to rely on people noticing the dorky padlock icon which means only that the communication was encrypted.
> 
> 
> DNSSEC deployment might not require an out of pocket cost, but that does not mean that the cost of deployment is 'free'. Just the fact that DNSSEC means that DNS deployment has to be done right means several hours extra work a year and that translates into higher administration costs.
> 
> There has to be a compelling value provided by DNSSEC and merely defeating the Kaminsky attack on its own isn't enough.
> 
> Provide protection against the downgrade attack however and suddenly you have a very compelling value with an immediate value to the client that cannot be realized any other way.
> 
> 
> An e-commerce site does not need to be very large for the value of a security policy record to be in the hundreds of dollars. For the major phishing targets it is in the hundred of thousands or millions.
> 
> Making a case for better discovery techniques on their own is much harder since the cost of bandwidth continues to fall and the application providers have not seen a benefit to date.
> 
> 
> Which is why I think that a flag in the security policy record that says 'hey there is also a better discovery mechanism' is more powerful as a deployment strategy than a flag in the discovery record saying to use https.
> 
> 
> 2010/10/12 Patrik Fältström <paf@cisco.com>
> On 12 okt 2010, at 21.30, Phillip Hallam-Baker wrote:
> 
> > For example it
> > could tell the client that it can use SRV or NAPTR or URI for enhanced
> > discovery.
> >
> > example.com  ESRV "prefix=_http._tcp,_imap._tcp"
> > _http._tcp.example.com ESRV "tls=required disc=srv"
> > _http._tcp.example.com SRV 1 1 80 site1.example.com
> > _http._tcp.example.com SRV 1 1 80 site2.example.com
> 
> For me this is what NAPTR does...
> 
> example.com. NAPTR 20 0 "s" "http" "" _http._tcp.frobbit.se.
> example.com. NAPTR 20 0 "s" "imap" "" _imap._tcp.frobbit.se.
> _http._tcp.example.com. SRV 1 1 80 site1.example.com.
> _http._tcp.example.com. SRV 1 1 80 site2.example.com.
> 
>   Patrik
> 
> 
> 
> 
> -- 
> Website: http://hallambaker.com/
>

v2.23.0 | Report a Bug | By Email