IETF Logo Mail Archive

Re: [dnsext] Re: need new flag bit in EDNS, "do me no favours" (DMNF)

Nicholas Weaver <nweaver@icsi.berkeley.edu> Tue, 26 October 2010 18:14 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E0F33A6844; Tue, 26 Oct 2010 11:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.154
X-Spam-Level:
X-Spam-Status: No, score=-2.154 tagged_above=-999 required=5 tests=[AWL=0.445, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbcvDFrjW8z0; Tue, 26 Oct 2010 11:14:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 03EDA3A6818; Tue, 26 Oct 2010 11:14:11 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1PAnzc-000OFe-6B for namedroppers-data0@psg.com; Tue, 26 Oct 2010 18:11:28 +0000
Received: from taffy.icsi.berkeley.edu ([192.150.187.26]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <nweaver@icsi.berkeley.edu>) id 1PAnzZ-000OFR-C5 for namedroppers@ops.ietf.org; Tue, 26 Oct 2010 18:11:25 +0000
Received: from gala.icsi.berkeley.edu (gala.ICSI.Berkeley.EDU [192.150.186.168]) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id B52413137F0; Tue, 26 Oct 2010 11:11:24 -0700 (PDT)
References: <59023.1287939121@nsa.vix.com> <20101025094523.GA5187@nic.fr> <41281.1288025835@nsa.vix.com> <20101025233215.4A495606495@drugs.dv.isc.org> <72674.1288058394@nsa.vix.com> <AANLkTikVzwCf7Ti-6G8hOYaHXHJ3+dy9_nRszb2iVFZk@mail.gmail.com> <79152.1288064704@nsa.vix.com> <alpine.LFD.1.10.1010261218000.29025@newtla.xelerance.com>
In-Reply-To: <alpine.LFD.1.10.1010261218000.29025@newtla.xelerance.com>
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <6EC2C9D1-8BBE-41B7-9A2E-85EA1F796A0F@icsi.berkeley.edu>
Content-Transfer-Encoding: quoted-printable
Cc: Nicholas Weaver <nweaver@icsi.berkeley.edu>
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [dnsext] Re: need new flag bit in EDNS, "do me no favours" (DMNF)
Date: Tue, 26 Oct 2010 11:11:24 -0700
To: namedroppers WG <namedroppers@ops.ietf.org>
X-Mailer: Apple Mail (2.1081)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

Why would the misbehaving DNS authorities bother?

They either have clean opt-outs (eg, Comcast's is reasonably enough and permanent: it changes the DHCP config so that in the future you get a clean resolver.  Only if you change your cable-modem does this need resetting), or DELIBERATELY unclean opt-outs (Verizon's 'change your DNS resolver settings', Bell canada's for a while was even worse: it added a cookie which simply caused the wildcard page to display a fake browser error page!)


So in the former case, this is unnecessary, and in the latter case, why would they bother?  They've made a deliberate decision to make it hard and hostile.



Additionally, the comment elsewhere that "we have a 'don't bother me': use DNSSEC and/or local resolution" is correct.  

Comcast's is supposedly going away as they turn on DNSSEC (because its fundamentally incompatible in their opinion, http://www.dnssec.comcast.net/faq.htm#faq7 
http://tools.ietf.org/html/draft-livingood-dns-redirect-03#section-8.1
).


And I've argued repeatedly that the DNSSEC validation for "normal" records (A, AAAA, MX, etc) should be on the client as follows:

IF the chain validates, accept the record from the cache.

If, for any reason (no sig, broken sig, no root, whatever) the validation fails, do an independent fetch bypassing the recursive resolver.

And this policy eliminates the problem of the lying recursive resolver, AND creates an incentive for people to deploy DNSSEC without the penalties of deploying DNSSEC incorrectly.

v2.23.0 | Report a Bug | By Email