IETF Logo Mail Archive

Re: [DNSOP] draft new charter: add stub resolvers?

Petr Spacek <pspacek@redhat.com> Tue, 08 April 2014 14:28 UTC

Return-Path: <pspacek@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1F541A03F6 for <dnsop@ietfa.amsl.com>; Tue, 8 Apr 2014 07:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.174
X-Spam-Level:
X-Spam-Status: No, score=-7.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQnAoPa_kHMP for <dnsop@ietfa.amsl.com>; Tue, 8 Apr 2014 07:27:59 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 636EB1A039C for <dnsop@ietf.org>; Tue, 8 Apr 2014 07:27:59 -0700 (PDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s38ERvWh014179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 8 Apr 2014 10:27:57 -0400
Received: from pspacek.brq.redhat.com (vpn1-6-167.ams2.redhat.com [10.36.6.167]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s38ERs4R011457 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 8 Apr 2014 10:27:56 -0400
Message-ID: <5344076A.3010906@redhat.com>
Date: Tue, 08 Apr 2014 16:27:54 +0200
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Joe Abley <jabley@hopcount.ca>
References: <A1679B19-C0C5-4CE9-91DA-29FA3BD03CF3@gmail.com> <20140403215020.GH58655@mx1.yitter.info> <F0260771-EF61-4C12-91A7-C98F311DBED2@vpnc.org> <nPeW1n01A0xxhYs01PeXE5> <4F8D85D7-6872-4511-9549-FE73C5750734@cox.net> <5343FF78.70800@redhat.com> <FF297BBE-81DD-4E01-9EC6-A1E1A4D05929@hopcount.ca>
In-Reply-To: <FF297BBE-81DD-4E01-9EC6-A1E1A4D05929@hopcount.ca>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/8PQTv8QV78nivyMoIY256qCjgng
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft new charter: add stub resolvers?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 14:28:02 -0000

On 8.4.2014 16:10, Joe Abley wrote:
> On 8 Apr 2014, at 9:54, Petr Spacek <pspacek@redhat.com> wrote:
>
>> On 8.4.2014 15:20, Edward Lewis wrote:
>>>  From the linked message:
>>
>> Let me quote very first part of the message to put it into context:
>>>>>>>>>> People start to disagree when it comes to questions like "Is it feasible to
>>>>>>>>>> rely on a local validating resolver in the near future? How can applications
>>>>>>>>>> detect that a validating resolver is not configured and that DNS responses
>>>>>>>>>> can't be trusted?"
>>>>>>>>>>
>>>>>>>>>> Aim of the proposal below is to enable applications to stay safe on systems
>>>>>>>>>> without a validating resolver.
>>
>> In other words, we are looking for a way how to augment current APIs to move DNSSEC-related knobs from applications to system-wide level (so you don't need to tweak OpenSSH config and Postfix config separately, for instance).
>
> I think introducing a new API to inform applications as to what security measures are in place is going to be messy and complex. The better approach is surely to let applications decide what features they want and specify them through the same API they use to perform DNS resolution, e.g.
>
> http://www.vpnc.org/getdns-api/

I definitely agree that new API is necessary, but I'm afraid that it is long 
term effort. Unfortunately, many (non-DNS-related projects) have roadmaps 
filled with more interesting stuff (for them) than a new fancy DNS API.

I would rather see RFC 4025, RFC 4255, draft-wouters-dane-openpgp and 
draft-wouters-dane-openpgpkey-usage to be practically implemented and widely 
used sooner than later.

Thank you for your time.

-- 
Petr Spacek  @  Red Hat

v2.23.0 | Report a Bug | By Email