Re: [dnsext] Forgery resilience and meeting in Stockholm
Otmar Lendl <lendl@nic.at> Wed, 20 May 2009 15:03 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BCBC3A67EF; Wed, 20 May 2009 08:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.765
X-Spam-Level:
X-Spam-Status: No, score=-0.765 tagged_above=-999 required=5 tests=[AWL=-0.011, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AT=0.424, RCVD_IN_DNSWL_LOW=-1, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5iZAu1nQmer; Wed, 20 May 2009 08:03:00 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3810D3A6FCB; Wed, 20 May 2009 08:02:55 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1M6nFi-0006as-Jp for namedroppers-data0@psg.com; Wed, 20 May 2009 14:58:42 +0000
Received: from [88.198.34.164] (helo=mail.bofh.priv.at) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <lendl@nic.at>) id 1M6nFM-0006Z1-KC for namedroppers@ops.ietf.org; Wed, 20 May 2009 14:58:28 +0000
Received: from [10.10.0.243] (nat.labs.nic.at [83.136.33.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bofh.priv.at (Postfix) with ESMTP id 24D4E554013; Wed, 20 May 2009 16:58:18 +0200 (CEST)
Message-ID: <4A141A88.1060700@nic.at>
Date: Wed, 20 May 2009 16:58:16 +0200
From: Otmar Lendl <lendl@nic.at>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Andrew Sullivan <ajs@shinkuro.com>
CC: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm
References: <20090508181422.GH2372@shinkuro.com>
In-Reply-To: <20090508181422.GH2372@shinkuro.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
A bit late, but whatever, here is my input: Andrew Sullivan wrote: > > 1. Do nothing, and take all energy that might be devoted to this > effort and direct it towards DNSSEC deployment. no. > 2. Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and > include in it recommendations to do nothing else except what that > document contains. Remove from section 3 any strategies we do not > want to adopt. (Note that this latter condition entails decisions > about the next two options.) Wouter's draft is a good summary, especially the re-query for RRSETs learned from the Auth section. Definitely adopt it. > 3. Adopt draft-vixie-dnsext-dns0x20-00. If we do (2), then perhaps > this gets included in that document, or perhaps it proceeds as part of > a set of documents. Let's leave the editorial process issues out of > the discussion, and just focus on whether we want to include this > strategy in the tool box. Just try to get the server side written down somewhere. That doesn't add any cost, and leaves the option to do the client part open. > 4. Adopt draft-hubert-ulevitch-edns-ping-01.txt. As in (3), this > might be included as part of (2) or processed individually, but that > doesn't matter. The draft as it stands is far from perfect, but the generic idea that we should try to somehow extend the query-ID is a very worthwhile one. IMHO there are a few different aspects to this: * The server-side is rather trivial, the only question is whether to go for a stateless or a stateful design on the server. * Use a new pseudo-RR or go for an EDNS0 option. What I'm really missing is a clear cut description on the client side algorithm and fall-back strategies. These huge email threads here have included both interesting schemes and assertions that this is impossible to get right. That's not good basis for a decisions, I'd really like to have a concrete proposal on the algorithm so that any attacks against it can be properly documented and examined. As with 0x20, I'm not sure whether we shouldn't split it up in a short and relatively painless (and not just informational) spec on what that extended qID looks on the wire and what the server-side is supposed to do, and an informational/experimental draft on how this can be leveraged to increase the security by the client. /ol -- // Otmar Lendl <lendl@nic.at>, T: +43 1 5056416 - 33, F: - 933 // -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Forgery resilience and meeting in Stockh… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… W.C.A. Wijngaards
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Ondřej Surý
- Re: [dnsext] Forgery resilience and meeting in St… Matthijs Mekking
- Re: [dnsext] Forgery resilience and meeting in St… Roy Arends
- Re: [dnsext] Forgery resilience and meeting in St… bert hubert
- Re: [dnsext] Forgery resilience and meeting in St… Stefan Schmidt
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Andrew Sullivan
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Matt Larson
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Mark Andrews
- Re: [dnsext] Forgery resilience and meeting in St… Bert
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Joe Abley
- Re: [dnsext] Forgery resilience and meeting in St… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Desperate plea for 0x20, was Re: [dnsext] Forgery… Shane Kerr
- Re: [dnsext] Forgery resilience and meeting in St… Florian Weimer
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Paul Vixie
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Jeffrey A. Williams
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- RE: Desperate plea for 0x20, was Re: [dnsext] For… Antoin Verschuren
- RE: [dnsext] Forgery resilience and meeting in St… Antoin Verschuren
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Federico Lucifredi
- Re: Desperate plea for 0x20, was Re: [dnsext] For… Florian Weimer
- Re: [dnsext] Forgery resilience and meeting in St… Otmar Lendl
- Re: [dnsext] Forgery resilience and meeting in St… Ólafur Guðmundsson /DNSEXT chair
- Re: [dnsext] Forgery resilience and meeting in St… Paul Vixie
- Re: [dnsext] Forgery resilience and meeting in St… Nicholas Weaver
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Federico Lucifredi
- Re: [dnsext] Forgery resilience and meeting in St… Peter Koch
- Re: [dnsext] Forgery resilience and meeting in St… Ted Lemon
- Re: [dnsext] Forgery resilience and meeting in St… bmanning
- Re: [dnsext] Forgery resilience and meeting in St… Olafur Gudmundsson