Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
Paul Vixie <paul@redbarn.org> Mon, 28 September 2015 16:56 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECDC51ACE89 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 09:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xybBu7RVL8hS for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 09:56:44 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA5501ACE87 for <dnsop@ietf.org>; Mon, 28 Sep 2015 09:56:44 -0700 (PDT)
Received: from [IPv6:2001:559:8000:cb:854c:3e7c:bb76:5a15] (unknown [IPv6:2001:559:8000:cb:854c:3e7c:bb76:5a15]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 412E613B5A; Mon, 28 Sep 2015 16:56:44 +0000 (UTC)
Message-ID: <56097146.3060208@redbarn.org>
Date: Mon, 28 Sep 2015 09:56:38 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 4.0.5 (Windows/20150923)
MIME-Version: 1.0
To: Mukund Sivaraman <muks@isc.org>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <6944DF48-2A47-4E75-801F-37BEA19A1CCD@vpnc.org> <20150927000309.GA17973@jurassic.l0.malgudi.org> <F53FA522-E92B-420B-9C12-6D64AC9DD5D4@vpnc.org> <20150927025914.GA31910@jurassic.l0.malgudi.org> <alpine.LFD.2.20.1509281034040.25357@bofh.nohats.ca> <20150928154852.GA19077@jurassic.l0.malgudi.org>
In-Reply-To: <20150928154852.GA19077@jurassic.l0.malgudi.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/CC6BIqq8uyth4RILZSADuEIbaHk>
Cc: dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 16:56:46 -0000
Mukund Sivaraman wrote: > Hi Paul > > On Mon, Sep 28, 2015 at 10:39:04AM -0400, Paul Wouters wrote: >> On Sun, 27 Sep 2015, Mukund Sivaraman wrote: >> >>> UDP has a header checksum that can notice message modification when in >>> use. Sometimes this may be 0 if the sender host did not generate a >>> checksum. This draft adds one in the application layer alongside a nonce >>> known to the client. Together they are meant to thwart any possibility >>> of different kinds of off-path cache-poisoning attacks. >> There is other work happening that accomplishes the same. The DPRIVE >> work to add TLS and longlived TCP, the dns cookies, and of course >> DNSSEC itself. I don't really see the need to add another mechanism to >> help against non-DNSSEC spoofing attacks. > > DNS cookies do not protect against IP fragmentation - they do not check > the message contents. These same things above can be said for DNS > cookies too. This draft intends to provide a method without the use of > additional roundtrips. noone has ever regretted adding an end-to-end checksum to any system. many have regretted trusting the lower-level network to deliver things perfectly. so i think there's good cause to add a DNS-level checksum even as we add DNS-level cookies. for extra credit, make it work on IXFR and AXFR as well (for the whole session, not just per-message.) -- Paul Vixie
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-mu… Robert Edmonds
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-mu… Robert Edmonds
- Re: [DNSOP] New Version Notification for draft-mu… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-mu… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Davey Song
- Re: [DNSOP] New Version Notification for draft-mu… Ólafur Guðmundsson