IETF Logo Mail Archive

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

Roy Arends <roy@dnss.ec> Mon, 13 July 2009 08:11 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1847328C216 for <dnsop@core3.amsl.com>; Mon, 13 Jul 2009 01:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.674
X-Spam-Level:
X-Spam-Status: No, score=-1.674 tagged_above=-999 required=5 tests=[AWL=0.575, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MpALf9Dxhoo for <dnsop@core3.amsl.com>; Mon, 13 Jul 2009 01:11:50 -0700 (PDT)
Received: from mail.schlyter.se (trinitario.schlyter.se [195.47.254.10]) by core3.amsl.com (Postfix) with ESMTP id 0B9E128C1E5 for <dnsop@ietf.org>; Mon, 13 Jul 2009 01:11:50 -0700 (PDT)
Received: from [127.0.0.1] (a82-94-105-54.adsl.xs4all.nl [82.94.105.54]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: roy) by mail.schlyter.se (Postfix) with ESMTPSA id 653152D4D9; Mon, 13 Jul 2009 10:12:18 +0200 (MEST)
Message-Id: <F9F06CCE-0E2C-4976-B3DC-83C2B1519BFD@dnss.ec>
From: Roy Arends <roy@dnss.ec>
To: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
In-Reply-To: <C67B83C4.E855%Jason_Livingood@cable.comcast.com>
Content-Type: text/plain; charset="WINDOWS-1252"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Mon, 13 Jul 2009 10:12:17 +0200
References: <C67B83C4.E855%Jason_Livingood@cable.comcast.com>
X-Mailer: Apple Mail (2.935.3)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Review of draft-livingood-dns-redirect-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2009 08:11:51 -0000

On Jul 9, 2009, at 5:23 PM, Livingood, Jason wrote:

> I submitted this draft, which you can find at http://tools.ietf.org/html/draft-livingood-dns-redirect-00 
> , before the –00 cutoff on Monday, and it will be discussed in the  
> DNSOP WG meeting at IETF 75 (it is listed on the agenda).
>
> If anyone is interested and has time before IETF 75, I’m happy to  
> take feedback before then obviously.  Please note that there is a  
> list of open items at the end, which we plan to address in  
> subsequent versions.

This part of section 10 is troublesome:

     So the only case where DNS security extensions cause problems for  
DNS Redirect is with a validating stub resolver. This case doesn't  
have widespread deployment now and could be mitigated by using trust  
anchor, configured by the applicable ISP or DNS ASP, that could be  
used to sign the redirected answers.

This mitigation strategy just doesn't work, and for a very good  
reason, as it allows a downgrade attack.

As for the rest of the document, I think it overloads the term  
"redirection" by incorporating lawfully mandated filtering (whatever  
that means), and therefor wrongly justifying this practice altogether.

In general, this kind of muddling with the DNS protocol assumes that  
the sole purpose of the DNS is to allow a web-browser find the address  
of a web-server. Clearly it is not.

There are alternatives. I run unbound from my laptop. Windows users  
can do too: http://unbound.net/downloads/unbound_setup_1.3.1.exe

Other alternatives are OARC's ODVR: https://www.dns-oarc.net/oarc/services/odvr

Kind regards,

Roy Arends

v2.23.0 | Report a Bug | By Email