Re: [DNSOP] draft new charter: add stub resolvers?
Petr Spacek <pspacek@redhat.com> Tue, 08 April 2014 14:28 UTC
Return-Path: <pspacek@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1F541A03F6 for <dnsop@ietfa.amsl.com>; Tue, 8 Apr 2014 07:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.174
X-Spam-Level:
X-Spam-Status: No, score=-7.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQnAoPa_kHMP for <dnsop@ietfa.amsl.com>; Tue, 8 Apr 2014 07:27:59 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 636EB1A039C for <dnsop@ietf.org>; Tue, 8 Apr 2014 07:27:59 -0700 (PDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s38ERvWh014179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 8 Apr 2014 10:27:57 -0400
Received: from pspacek.brq.redhat.com (vpn1-6-167.ams2.redhat.com [10.36.6.167]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s38ERs4R011457 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 8 Apr 2014 10:27:56 -0400
Message-ID: <5344076A.3010906@redhat.com>
Date: Tue, 08 Apr 2014 16:27:54 +0200
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Joe Abley <jabley@hopcount.ca>
References: <A1679B19-C0C5-4CE9-91DA-29FA3BD03CF3@gmail.com> <20140403215020.GH58655@mx1.yitter.info> <F0260771-EF61-4C12-91A7-C98F311DBED2@vpnc.org> <nPeW1n01A0xxhYs01PeXE5> <4F8D85D7-6872-4511-9549-FE73C5750734@cox.net> <5343FF78.70800@redhat.com> <FF297BBE-81DD-4E01-9EC6-A1E1A4D05929@hopcount.ca>
In-Reply-To: <FF297BBE-81DD-4E01-9EC6-A1E1A4D05929@hopcount.ca>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/8PQTv8QV78nivyMoIY256qCjgng
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft new charter: add stub resolvers?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 14:28:02 -0000
On 8.4.2014 16:10, Joe Abley wrote: > On 8 Apr 2014, at 9:54, Petr Spacek <pspacek@redhat.com> wrote: > >> On 8.4.2014 15:20, Edward Lewis wrote: >>> From the linked message: >> >> Let me quote very first part of the message to put it into context: >>>>>>>>>> People start to disagree when it comes to questions like "Is it feasible to >>>>>>>>>> rely on a local validating resolver in the near future? How can applications >>>>>>>>>> detect that a validating resolver is not configured and that DNS responses >>>>>>>>>> can't be trusted?" >>>>>>>>>> >>>>>>>>>> Aim of the proposal below is to enable applications to stay safe on systems >>>>>>>>>> without a validating resolver. >> >> In other words, we are looking for a way how to augment current APIs to move DNSSEC-related knobs from applications to system-wide level (so you don't need to tweak OpenSSH config and Postfix config separately, for instance). > > I think introducing a new API to inform applications as to what security measures are in place is going to be messy and complex. The better approach is surely to let applications decide what features they want and specify them through the same API they use to perform DNS resolution, e.g. > > http://www.vpnc.org/getdns-api/ I definitely agree that new API is necessary, but I'm afraid that it is long term effort. Unfortunately, many (non-DNS-related projects) have roadmaps filled with more interesting stuff (for them) than a new fancy DNS API. I would rather see RFC 4025, RFC 4255, draft-wouters-dane-openpgp and draft-wouters-dane-openpgpkey-usage to be practically implemented and widely used sooner than later. Thank you for your time. -- Petr Spacek @ Red Hat
- [DNSOP] draft new charter Suzanne Woolf
- Re: [DNSOP] draft new charter Andrew Sullivan
- Re: [DNSOP] draft new charter Paul Hoffman
- Re: [DNSOP] draft new charter Suzanne Woolf
- Re: [DNSOP] draft new charter Paul Hoffman
- Re: [DNSOP] draft new charter Stephane Bortzmeyer
- Re: [DNSOP] draft new charter Antoin Verschuren
- Re: [DNSOP] draft new charter Ted Lemon
- Re: [DNSOP] draft new charter Edward Lewis
- Re: [DNSOP] draft new charter Edward Lewis
- Re: [DNSOP] draft new charter Tim Wicinski
- Re: [DNSOP] draft new charter joel jaeggli
- Re: [DNSOP] draft new charter Edward Lewis
- Re: [DNSOP] draft new charter joel jaeggli
- Re: [DNSOP] draft new charter Seun Ojedeji
- Re: [DNSOP] draft new charter S Moonesamy
- Re: [DNSOP] draft new charter: add stub resolvers? Petr Spacek
- Re: [DNSOP] draft new charter: add stub resolvers? Edward Lewis
- Re: [DNSOP] draft new charter Jonne Soininen
- Re: [DNSOP] draft new charter: add stub resolvers? Petr Spacek
- Re: [DNSOP] draft new charter: add stub resolvers? Joe Abley
- Re: [DNSOP] draft new charter: add stub resolvers? Petr Spacek
- Re: [DNSOP] draft new charter: add stub resolvers? Joe Abley
- [DNSOP] MAC vs. DAC - Re: draft new charter: add … Edward Lewis
- Re: [DNSOP] MAC vs. DAC - Re: draft new charter: … Joe Abley
- Re: [DNSOP] MAC vs. DAC - Re: draft new charter: … Petr Spacek
- Re: [DNSOP] draft new charter: add stub resolvers? Tim Wicinski