IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

Shane Kerr <shane@time-travellers.org> Sat, 29 July 2017 13:05 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65F9131EC3 for <dnsop@ietfa.amsl.com>; Sat, 29 Jul 2017 06:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBIwAwFTfhGE for <dnsop@ietfa.amsl.com>; Sat, 29 Jul 2017 06:05:56 -0700 (PDT)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 098E5131DFE for <dnsop@ietf.org>; Sat, 29 Jul 2017 06:05:55 -0700 (PDT)
Received: from [188.207.106.55] (helo=[10.175.112.115]) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1dbRSP-00045v-6z; Sat, 29 Jul 2017 13:07:01 +0000
Date: Sat, 29 Jul 2017 15:05:42 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <alpine.LRH.2.21.1707290851010.26738@bofh.nohats.ca>
References: <CADyWQ+Ffu8JOn6co184PC-Uvv4G1qYU3d0ZchupRJEDDmfYKaw@mail.gmail.com> <CAJE_bqf7R7ZW5ixcZdOcaHDso+C5QbtGbz+Z1mOs+p9_C2_cAg@mail.gmail.com> <alpine.LRH.2.21.1707290851010.26738@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----MNEEIF6W4G3K88EQ4HRT5HOQC719S0"
Content-Transfer-Encoding: 7bit
To: dnsop@ietf.org, Paul Wouters <paul@nohats.ca>, dnsop <dnsop@ietf.org>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <53F8E12A-85F9-44F1-9CA5-F546244832D0@time-travellers.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AyW5ciyc_pEcL0nRNg3hMpx0P7c>
Subject: Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2017 13:05:58 -0000

I guess that I understand your concern, but we don't have any way to authenticate servers in DNS today and we already send error messages back. 

I'm happy with error codes that are informational, but don't change client behavior. Yes, I realize that users may be tricked, but that's also the case today, right? 

On 29 July 2017 14:53:48 GMT+02:00, Paul Wouters <paul@nohats.ca> wrote:
>
>> This starts a Call for Adoption for
>draft-wkumari-dnsop-extended-error
>
>I have reviewed the draft, and while I think it could be useful, I'm
>seriously worried about sending unauthenticated errors back to the
>user,
>and fear that software will start using these without first validating
>the response using DNSSEC.
>
>I would like to see more discussion on this topic before adopting this
>document with a focus on how we could secure these error codes.
>
>Paul
>
>_______________________________________________
>DNSOP mailing list
>DNSOP@ietf.org
>https://www.ietf.org/mailman/listinfo/dnsop

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

v2.23.0 | Report a Bug | By Email