Re: [dnsext] URI RRTYPE review - Comments period end Aug 15th

Phillip Hallam-Baker <hallam@gmail.com> Wed, 13 October 2010 13:19 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 805913A6930; Wed, 13 Oct 2010 06:19:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEFnOCmTFchR; Wed, 13 Oct 2010 06:19:13 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 5EC7A3A67D3; Wed, 13 Oct 2010 06:19:13 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1P6197-000AWx-MQ for namedroppers-data0@psg.com; Wed, 13 Oct 2010 13:13:29 +0000
Received: from mail-fx0-f52.google.com ([209.85.161.52]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <hallam@gmail.com>) id 1P6190-000AWJ-Mh for namedroppers@ops.ietf.org; Wed, 13 Oct 2010 13:13:23 +0000
Received: by fxm16 with SMTP id 16so2601204fxm.11 for <namedroppers@ops.ietf.org>; Wed, 13 Oct 2010 06:13:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=65Vgbzi/ytPKWTZx4A03rdsf+gcLkpnBAOYzan6LHXk=; b=odwQcMi5QYbYd0/EyDTY69EepleLi5mvYDgwlfolgnfpZCqvMfV6e5NHhhjqc7wH6L d4rbOLRdryjcCnJJvpJpzI5zslWdh5sXEVF4fxPv9Kj1sZurN5qSMMXvK264AkPGBezb HiKaEqiOy2LpKk2y+7CZDKifrj+Aw/jXHEAms=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=RNay7zKEAuOkRELi0XHqhquKkSBAXy7WCEdlynyqzu/p2glo7WD0078aQbkeiQ4ekY eUpq+qkkFqul9bKVfRG/ONkVmfxh7MLlP9/30y3HLNiVw4Wz3QXOZOs9OulUjLg+kf9p gVB6VIlfDkCOtucnZyHFqFjCGP6C/oCqGKBmc=
MIME-Version: 1.0
Received: by 10.239.190.76 with SMTP id w12mr524842hbh.175.1286975601291; Wed, 13 Oct 2010 06:13:21 -0700 (PDT)
Received: by 10.239.156.141 with HTTP; Wed, 13 Oct 2010 06:13:21 -0700 (PDT)
In-Reply-To: <0058A35A-86AB-4BC8-A9C0-2DD92CA04265@cisco.com>
References: <20100725184119.GA42253@registro.br> <AANLkTikLbJwMLjzgyhFZ+fcc63-6wo0ccBb_CRgL2hw2@mail.gmail.com> <8E0002DF-09C9-46CD-AB1B-6DE946E3D0DC@cisco.com> <AANLkTinuNGYU_eoh5-Y=XJwmeo6psU_vPYt1vFAjq+Kk@mail.gmail.com> <C9DE16B6-3740-4670-955A-60448A14A7E8@cisco.com> <AANLkTi=W_6vP2wOfE0eiBNWviRXqHnKFuqNnOtt2Vwen@mail.gmail.com> <0058A35A-86AB-4BC8-A9C0-2DD92CA04265@cisco.com>
Date: Wed, 13 Oct 2010 09:13:21 -0400
Message-ID: <AANLkTimnZDATPy5Angw8o6rFQrmiQhfyvBNCjfTwV1KO@mail.gmail.com>
Subject: Re: [dnsext] URI RRTYPE review - Comments period end Aug 15th
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Patrik Fältström <paf@cisco.com>
Cc: Ted Hardie <ted.ietf@gmail.com>, Frederico A C Neves <fneves@registro.br>, namedroppers@ops.ietf.org
Content-Type: multipart/alternative; boundary="001485f1ebde8cb21404927f5b02"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

Unfortunately, NAPTR does not have the ability to specify security policy
information so the deployment incentives don't work the same.

SRV has existed for a decade now, yet we still cant get applications to
bother to check it for no-brainer applications such as imap.


If people care about security (an unproven hypothesis unfortunately) and are
thus willing to check a DNSSEC signature chain, then I have to hope that
they are willing to do an extra lookup to actually give that DNSSEC lookup a
point.

The biggest security hole in the Internet at the moment is the fact that
security is an optional afterthought. So sites have to rely on people
noticing the dorky padlock icon which means only that the communication was
encrypted.


DNSSEC deployment might not require an out of pocket cost, but that does not
mean that the cost of deployment is 'free'. Just the fact that DNSSEC means
that DNS deployment has to be done right means several hours extra work a
year and that translates into higher administration costs.

There has to be a compelling value provided by DNSSEC and merely defeating
the Kaminsky attack on its own isn't enough.

Provide protection against the downgrade attack however and suddenly you
have a very compelling value with an immediate value to the client that
cannot be realized any other way.


An e-commerce site does not need to be very large for the value of a
security policy record to be in the hundreds of dollars. For the major
phishing targets it is in the hundred of thousands or millions.

Making a case for better discovery techniques on their own is much harder
since the cost of bandwidth continues to fall and the application providers
have not seen a benefit to date.


Which is why I think that a flag in the security policy record that says
'hey there is also a better discovery mechanism' is more powerful as a
deployment strategy than a flag in the discovery record saying to use https.


2010/10/12 Patrik Fältström <paf@cisco.com>

> On 12 okt 2010, at 21.30, Phillip Hallam-Baker wrote:
>
> > For example it
> > could tell the client that it can use SRV or NAPTR or URI for enhanced
> > discovery.
> >
> > example.com  ESRV "prefix=_http._tcp,_imap._tcp"
> > _http._tcp.example.com ESRV "tls=required disc=srv"
> > _http._tcp.example.com SRV 1 1 80 site1.example.com
> > _http._tcp.example.com SRV 1 1 80 site2.example.com
>
> For me this is what NAPTR does...
>
> example.com. NAPTR 20 0 "s" "http" "" _http._tcp.frobbit.se.
> example.com. NAPTR 20 0 "s" "imap" "" _imap._tcp.frobbit.se.
> _http._tcp.example.com. SRV 1 1 80 site1.example.com.
> _http._tcp.example.com. SRV 1 1 80 site2.example.com.
>
>   Patrik
>
>


-- 
Website: http://hallambaker.com/