Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00

Alex Bligh <alex@alex.org.uk> Wed, 21 October 2009 10:15 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26E833A67DF for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 03:15:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.799
X-Spam-Level:
X-Spam-Status: No, score=-1.799 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-+XngFVz5Gi for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 03:15:28 -0700 (PDT)
Received: from mail.avalus.com (mail.avalus.com [217.147.82.63]) by core3.amsl.com (Postfix) with ESMTP id 4E1023A67D9 for <dnsop@ietf.org>; Wed, 21 Oct 2009 03:15:27 -0700 (PDT)
Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id DEA50C2DA7; Wed, 21 Oct 2009 11:15:34 +0100 (BST)
Date: Wed, 21 Oct 2009 11:15:32 +0100
From: Alex Bligh <alex@alex.org.uk>
To: Florian Weimer <fweimer@bfk.de>
Message-ID: <DCCD2E64CC23A041472BF4B5@Ximines.local>
In-Reply-To: <82d44ht6kl.fsf@mid.bfk.de>
References: <OFA656600E.F5229B3D-ON80257650.005247BF-80257650.00527644@nominet.org.uk> <82skde36c9.fsf@mid.bfk.de> <DE23E9BF50E437E2D5CA65C8@Ximines.local> <82ljj61gle.fsf@mid.bfk.de> <200910202329.n9KNT56j048843@drugs.dv.isc.org> <1F61DD04-14A6-4349-8650-9CF27D27C3BC@hopcount.ca> <200910210145.n9L1j8of033780@drugs.dv.isc.org> <8263a9xnem.fsf@mid.bfk.de> <OFD7B965B7.53CC1C17-ON80257656.0028D85C-80257656.002974DF@nominet.org.uk> <82zl7luov4.fsf@mid.bfk.de> <A0DDFB2F94500799B7F0B37F@Ximines.local> <82fx9dun7r.fsf@mid.bfk.de> <F7CC8A286D65EAC3E9C1DF8F@Ximines.local> <82d44ht6kl.fsf@mid.bfk.de>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: Ray.Bellis@nominet.org.uk, dnsop@ietf.org, Joe Abley <jabley@hopcount.ca>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2009 10:15:29 -0000

--On 21 October 2009 09:55:06 +0000 Florian Weimer <fweimer@bfk.de> wrote:

>> Ah. I think I now understand what you mean. Well yes they can do that,
>> but they could do it anyway.
>
> There's an additional twist: If I have got a client device (not DNS
> proxy) which supports the proposed protocol, it will not work when I
> connect it to a network which uses a resolver that performs this type
> of spoofing, unless the spoofing resolver has specific support for
> this protocol.
>
> It's not "someone could do evil things and make it break", but
> "someone already does (perhaps evil) things, and it breaks".

Right, so if a spoofing resolver which does NXDOMAIN redirection but does
not support this protocol (and hence returns bogus A records for
domain.local.arpa along with everything else) receives a query from a
client stack which supports the protocol, it could confuse the client stack
by returning A records which don't support DNS query (e.g. a "sitefinder
site").

That's easily remedied, and would be a good addition to the protocol. The
first thing the client does is send a query to the candidate new nameserver
(possibly with "Christmas tree" options, e.g. DO set and so forth), and
check the reply looks sensible. If not, it doesn't use it. That way it
doesn't use any server that makes things worse. The query could be an NS
query for ".", but perhaps better a fixed records in .ARPA that does exist
& is signed.

-- 
Alex Bligh