IETF Logo Mail Archive

Re: [DNSOP] [homenet] iterative vs. forwarder, was Fwd: WGLC on "redact" and "homenet-dot"

william manning <chinese.apricot@gmail.com> Fri, 16 December 2016 09:46 UTC

Return-Path: <chinese.apricot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EC10129680; Fri, 16 Dec 2016 01:46:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGao0iXQ502U; Fri, 16 Dec 2016 01:46:51 -0800 (PST)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4101129417; Fri, 16 Dec 2016 01:46:51 -0800 (PST)
Received: by mail-it0-x229.google.com with SMTP id j191so15287733ita.1; Fri, 16 Dec 2016 01:46:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uIh02J6BpO45T9LPy2hIeRuUsgvKPHIgmqccHUhDHrw=; b=h1PjTrDPp9o3T7sI4Dlg9OzR6IBp1Bozl3zfWWobI+KrnzYltR3V9S46C8T6AjexGr le3BE/090hHORArMdnfkeojXmX7om2+bEsLbuFTu4ESgM+EenVBG/Houv6HS/FF3iDPC Cwh+DZQGT69ZfcaSSgqe9kgb5rWxDYlWfNIMZ6fcx+r0dyKilXpudVQ7Opl06/ikvxuu 4l42r6pHaxVbSZdxy2oFf3bCv+yfhzwh6mHrpHgjfCRb4I822FR5wLFgESbmR/SIMl48 59VeIMxheP3fKnqjg3jV7VriG1jbFEpQb3BGn4/ExMjzw/i1UDFZyg9vxRUr+NnYWc3u e2hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uIh02J6BpO45T9LPy2hIeRuUsgvKPHIgmqccHUhDHrw=; b=lOvjdwDx9U8zabu3HEQGE504X5loDgxArogRaEnUB4Q3gWDM8WVeM2JD2cecrSgt1I aTHrwiCFMaF0AZQf4LifRWsjE3Z+bBbYHkeBZ4acxTvCcK25Sw2hQ/uilHsktJKUUSn0 ozBUEa7lE0oIeW1Z6UDO/KXXr+xmoUrxFqDZWrAoJT5DlDPT8cMetLwtblkhx4xg8E64 X2jJbbyTkNuy1ofYn4qLTOpjAiWP3W2CEnrXAEjXzVUcgpkngb1V0i2qL+4mxgr1Q5EW U79NlsdLMUt+1HUlV7mzyEx2nGa0DCeyDu4IpWRwamVSAnxwM9a9MEt/L0l7g4JI96GL E2mg==
X-Gm-Message-State: AKaTC00WD25Z8z78hQFCHAN5veh2A/r9tAiUJXfzoQJ3O46rw5ngf61+CnAouN9tHBUxEAmF1CsWaIjvkoJWhg==
X-Received: by 10.36.185.83 with SMTP id k19mr1780390iti.59.1481881610987; Fri, 16 Dec 2016 01:46:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.159.137 with HTTP; Fri, 16 Dec 2016 01:46:50 -0800 (PST)
In-Reply-To: <alpine.OSX.2.11.1612151606300.6844@ary.local>
References: <20161214220428.1688.qmail@ary.lan> <9EC2695D-5CC5-479F-9998-27810608E71E@fugue.com> <CAH1iCioPZiO78j478BV7t=pTN9LZXQbweeBZQF2w3O1gKwx3XA@mail.gmail.com> <20161215011803.A2B705CE7CAA@rock.dv.isc.org> <CAH1iCir6R=DG+RM1BoMn1s31x3ZoN4bHLO7dWdVL-yCD3u3R0A@mail.gmail.com> <CAPt1N1=Mw=LSQ+dwFX2MFKTzSHMzWKAMLrW9fQPaAggMb+GJ-A@mail.gmail.com> <CAH1iCirFZtCWVkMqFp8Fb=wJLzmBNb2k5PfxKBRNUtgVR7cMXA@mail.gmail.com> <CAPt1N1nHmrRwAGGJCTwD=PhW1w=QHHSnvi1D3GN4kNxHSgapEA@mail.gmail.com> <20161215041912.32A8F5CE9152@rock.dv.isc.org> <CAPt1N1mwoGDuc8fn7mFd0R3cx_xQLBM3H=ye9L+ceE6kvUo-mQ@mail.gmail.com> <4195DBA6-6EAE-45CE-AD61-9236C62124D0@google.com> <alpine.OSX.2.11.1612151555520.6844@ary.local> <CAPt1N1mWLw-thMrVvztdSDkPp6zW8ptick4ZnDKUatBf44QfiA@mail.gmail.com> <alpine.OSX.2.11.1612151606300.6844@ary.local>
From: william manning <chinese.apricot@gmail.com>
Date: Fri, 16 Dec 2016 01:46:50 -0800
Message-ID: <CACfw2hi36BDnZ_8REZ4sn5fx_c0kSmRYqJc6WOB6d=qy3Jc_Cg@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="f403045d9d9c05ac4d0543c373b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CkqaMg-o44uuDSuHSdfMRrwpOFM>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>, HOMENET <homenet@ietf.org>
Subject: Re: [DNSOP] [homenet] iterative vs. forwarder, was Fwd: WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2016 09:46:55 -0000

actually, IoT OS platforms are mostly not stripped versions of linux, most
are purpose-built, real time OS's.  One of the more popular is RIOT.   If
you look at the attacks on these OS's, you can look at Miri, the BOT which
shows lots of packet love.
Concur that you should touch base with RSSAC before deciding to punt
traffic to the root servers to reject.  The RFC 1918 leaks were bad enough
to force the development of the AS112 infrastructure to absorb that traffic
so the roots could survive.

So we can make the delegation NOW and declare it unsigned, or we can punt
(more) traffic to the roots.
Trying to get DNSSEC validation into IoT devices requires code in the end
systems...  and

Elsewhere, Mr. O'Dell said:
"Seriously, the crapware contingent squeezes every byte out of the software
in those devices, and if somebody cannot show the incremental revenue is a
lot bigger than forcing the customer to buy a new one at some point,
there's no [dnssec] in them. Remember there is a huge difference between
inexpensive and cheap, and when consumer crapware is involved, bet on cheap
every time."

Now if we want to force the functional equivalent of renal failure on the
root servers, then by all means, don't make the delegation and hope nothing
leaks out to the public Internet.

/Wm

On Thu, Dec 15, 2016 at 1:11 PM, John R Levine <johnl@taugh.com> wrote:

> On Thu, 15 Dec 2016, Ted Lemon wrote:
>
>> Billions and billions of them?   How often do they query the root, do you
>> think, compared to a stub resolver that did recursion itself?
>>
>
> I have no idea, although I do know that IoT devices tend to use stripped
> down linux distros.
>
> In any event, given that most of the root traffic is junk, I wouldn't
> think that any plausible increase in non-junk traffic would be noticable.
> Queries for TLDs cache really well.  You might want to talk to the RSSAC.
>
> R's,
> John
>
>
>
>> On Thu, Dec 15, 2016 at 3:57 PM, John R Levine <johnl@taugh.com> wrote:
>>
>> Putting an iterative resolver in a stub resolver is an attack on the DNS
>>>
>>>> infrastructure.
>>>>>
>>>>>
>>>> Ted might want to alert all of the BSD and linux distros that default to
>>> running a copy of bind or unbound answering queries on 127.0.0.1.
>>>
>>> Regards,
>>> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
>>> Please consider the environment before reading this e-mail.
>>> https://jl.ly
>>>
>>> _______________________________________________
>>> homenet mailing list
>>> homenet@ietf.org
>>> https://www.ietf.org/mailman/listinfo/homenet
>>>
>>>
>>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email