IETF Logo Mail Archive

Re: [dnsext] draft-bellis-dnsext-dnsproxy-00

Ray.Bellis@nominet.org.uk Mon, 03 November 2008 21:53 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85E923A6A66; Mon, 3 Nov 2008 13:53:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2hRwXNd+Jbd; Mon, 3 Nov 2008 13:53:58 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 399B33A68B6; Mon, 3 Nov 2008 13:53:58 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Kx7Gh-0002jU-TX for namedroppers-data@psg.com; Mon, 03 Nov 2008 21:47:27 +0000
Received: from [213.248.199.24] (helo=mx4.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <Ray.Bellis@nominet.org.uk>) id 1Kx7Ga-0002iM-IV for namedroppers@ops.ietf.org; Mon, 03 Nov 2008 21:47:25 +0000
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:To:Cc:Subject: MIME-Version:X-Mailer:Message-ID:From:Date:X-MIMETrack: Content-Type; b=bnWqhyPLh+yFWF8qZaBnmpTYDgMtaXW6x9nKUdiyryrXa1jUcklZeOEm PbuVy3V19fZupq1VupqjxOcuVb+8PsmwwyR8lmInoCQfeLSjDaTbh9Pgl Xf3tYoAZV080yQQ;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=Ray.Bellis@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1225748840; x=1257284840; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Ray.Bellis@nominet.org.uk|Subject:=20Re:=20[dnse xt]=20draft-bellis-dnsext-dnsproxy-00|Date:=20Mon,=203=20 Nov=202008=2021:47:17=20+0000|Message-ID:=20<OF7E3816AF.C 6D6EB41-ON802574F6.0076B6C3-802574F6.0077AF4E@nominet.org .uk>|To:=20Florian=20Weimer=20<fw@deneb.enyo.de>|Cc:=20na medroppers@ops.ietf.org|MIME-Version:=201.0|In-Reply-To: =20<87zlkgtxt1.fsf@mid.deneb.enyo.de>; bh=XpdBqJ7+aHdXsdlAnHHvQDb5r01vR+MGOQPcXLGoI+o=; b=2T1RNgry0iuh64ikQ6cKaG2Kv8GGkUh3QDf6BmmGNpmom6RH8ZJReqvU aUDSQqYtj0jB8M5bija+nsqzpXJhFKM4/IfkvuEf4uz+oPpu1sHu1de3D gPPEgAEmg4jDMm9;
X-IronPort-AV: E=Sophos;i="4.33,538,1220223600"; d="scan'208";a="6709012"
Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx4.nominet.org.uk with ESMTP; 03 Nov 2008 21:47:18 +0000
In-Reply-To: <87zlkgtxt1.fsf@mid.deneb.enyo.de>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] draft-bellis-dnsext-dnsproxy-00
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF7E3816AF.C6D6EB41-ON802574F6.0076B6C3-802574F6.0077AF4E@nominet.org.uk>
From: Ray.Bellis@nominet.org.uk
Date: Mon, 03 Nov 2008 21:47:17 +0000
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 03/11/2008 09:47:18 PM, Serialize complete at 03/11/2008 09:47:18 PM
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> |   Also, whilst the EDNS0 specification allows for a buffer size of up
> |   to 65536 octets, most common DNS server implementations do not
> |   support a buffer size above 4096 octets.
> 
> 65536?  Shouldn't it be 65535?

Indeed, yes!  Well done for catching the deliberate mistake ;-)

> | 6.1.  Forgery Resilience
> 
> It is imperative that if the the response is cached, the packet is not
> passed through unchanged, query ID and source ports MUST be
> randomized.  This requires some work for TSIG queries (as described in
> RFC 2845).

I'm no expert on TSIG and included what little there is at Olafur's 
behest.  I'll probably need to defer that one to him.

> 
> |   o  invalid compression pointers (i.e. those that run forward of the
> |      current packet offset, or which don't point at the start of
> |      another label).
> 
> Are these pointers really invalid?

Forward pointing ones certainly are:

RFC1035, section 4.1.4: "In this scheme, an entire domain name or a list 
of labels at the end of a domain name is replaced with a pointer to a 
prior occurance of the same name"

A pointer that links to somewhere other than the start of another label 
isn't (AFAIK) expressly prohibited.  However I can't imagine why any 
"real" upstream resolver would ever produce one for legitimate reasons.  I 
am aware of certain research of the use of this technique to reduce the 
size of packets needed for cache-poisoning attacks, since smaller packets 
implies greater attack efficiency.

> Compression loops and compression references in places where actually
> forbidden by the RFCs would be relevant examples, IMHO.

Compression loops is a good one.  Can you provide an example or reference 
to an illegal compression place?

> This raises the question of trailing garbage in the UDP packet.  For
> interoperability reasons, I think this has to be accepted.

Interesting...  in my earlier research we were more concerned with missing 
data, and never noticed extraneous data.  Is this a common occurrence?

> I like the draft.  But I have to agree with Bert that it's a bit like
> preaching to the choir.

Yes, but the intent is that this draft will help make the choir larger :)

Ray


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email