IETF Logo Mail Archive

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

Mark Andrews <marka@isc.org> Thu, 16 July 2009 00:16 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A165C28C11D for <dnsop@core3.amsl.com>; Wed, 15 Jul 2009 17:16:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.515
X-Spam-Level:
X-Spam-Status: No, score=-2.515 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DeLE+Pwh1fI5 for <dnsop@core3.amsl.com>; Wed, 15 Jul 2009 17:16:38 -0700 (PDT)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) by core3.amsl.com (Postfix) with ESMTP id C95A328C16C for <dnsop@ietf.org>; Wed, 15 Jul 2009 17:16:37 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 17988E601C; Thu, 16 Jul 2009 00:17:07 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n6G0GpEV051995; Thu, 16 Jul 2009 10:17:04 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200907160017.n6G0GpEV051995@drugs.dv.isc.org>
To: Paul Wouters <paul@xelerance.com>
From: Mark Andrews <marka@isc.org>
References: <C680B730.EB2C%Jason_Livingood@cable.comcast.com> <alpine.LSU.2.00.0907131506280.30197@hermes-2.csi.cam.ac.uk> <alpine.LFD.1.10.0907131347330.8917@newtla.xelerance.com> <p06240806c681347afdd5@[10.20.30.158]> <alpine.LFD.1.10.0907142351170.30778@newtla.xelerance.com> <p062408adc683d0a46ecb@[10.20.30.158]> <alpine.LFD.1.10.0907151439100.31420@newtla.xelerance.com>
In-reply-to: Your message of "Wed, 15 Jul 2009 14:47:57 -0400." <alpine.LFD.1.10.0907151439100.31420@newtla.xelerance.com>
Date: Thu, 16 Jul 2009 10:16:50 +1000
Sender: marka@isc.org
Cc: dnsop@ietf.org, "Livingood, Jason" <Jason_Livingood@cable.comcast.com>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] Review of draft-livingood-dns-redirect-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2009 00:16:38 -0000

In message <alpine.LFD.1.10.0907151439100.31420@newtla.xelerance.com>, Paul Wou
ters writes:
> On Wed, 15 Jul 2009, Paul Hoffman wrote:
> 
> >> and working with it. With manipulating my laptop's DNS asking for MY
> >> OWN cryptographically signed data, you are asking me to throw out the
> >> crypto protection and make me accept a downgrade attack.
> >
> > Then use a different DNS resolver.
> 
> If I use my own validating stub resolver I can't make it to the portal page.

With proper configuration of the validating stub resolver and the
recursive servers your validating stub resolver are using you should
be able to make it to the portal page.

I do agree that it makes it more complicated.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email