Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00
Alex Bligh <alex@alex.org.uk> Tue, 20 October 2009 10:19 UTC
Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8AEDE3A6900 for <dnsop@core3.amsl.com>; Tue, 20 Oct 2009 03:19:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level:
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[AWL=1.400, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQx1S4EVaiR6 for <dnsop@core3.amsl.com>; Tue, 20 Oct 2009 03:19:54 -0700 (PDT)
Received: from mail.avalus.com (mail.avalus.com [217.147.82.63]) by core3.amsl.com (Postfix) with ESMTP id 9B4663A68F3 for <dnsop@ietf.org>; Tue, 20 Oct 2009 03:19:53 -0700 (PDT)
Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id 3034EC2DAB; Tue, 20 Oct 2009 11:19:59 +0100 (BST)
Date: Tue, 20 Oct 2009 11:19:01 +0100
From: Alex Bligh <alex@alex.org.uk>
To: Florian Weimer <fweimer@bfk.de>, Ray.Bellis@nominet.org.uk
Message-ID: <DE23E9BF50E437E2D5CA65C8@Ximines.local>
In-Reply-To: <82skde36c9.fsf@mid.bfk.de>
References: <OFA656600E.F5229B3D-ON80257650.005247BF-80257650.00527644@nominet.org.uk> <82skde36c9.fsf@mid.bfk.de>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: dnsop@ietf.org, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2009 10:19:55 -0000
Florian,
--On 20 October 2009 06:52:22 +0000 Florian Weimer <fweimer@bfk.de> wrote:
>> I've just submitted the following draft.
>
> This will work for a short time only because those proxies will likely
> be changed to return their own address for DOMAIN.LOCAL.ARPA.
I think you are presuming that such a proxy vendor is deliberately
setting out to break things. I don't think that's the case. Ignorance
is the main cause.
As per the draft, a proxy which implements a full recursive server
that correctly passes DNSSEC packets is permitted to return its own
address from DOMAIN.LOCAL.ARPA; the sort of proxies we see today
may not. Ray in his response to you correctly points out that companies
may choose to violate the draft (perhaps it could be more explicit
about the consequences of doing so); we have no IETF police force
and people can always violate drafts.
> You cannot rely on a NXDOMAIN response for DOMAIN.LOCAL.ARPA when the
> resolver does not support this protocol due to widespread DNS
> poisoning.
Could you amplify a bit on this one? I think what you are saying is
that recursive servers which do not support DOMAIN.LOCAL.ARPA
(and hence don't strip it out of any response to a recursive
query) can be subject to poisoning attacks which will result in
duff nameserver records being sent to clients that are aware
of the protocol.
I think that is indeed a security concern, and perhaps not
one that can be brushed aside with the response "but such
servers can have any DNS query made to them poisoned anyway".
May be we need to come up with a way for a server
to signal that it does indeed support DOMAIN.LOCAL.ARPA
(or perhaps LOCAL.ARPA) in a manner not reliant upon
poisonable records. For instance, the client could always
query with a given EDNS0 option set, which would be returned
to the client by the server; any response without this set
would indicate lack of support for {DOMAIN.,}LOCAL.APRA
and cause the response to be treated like NXDOMAIN. The
disadvantage here is that this would require a server s/w
change and a larger protocol change, whereas the current
protocol only requires a configuration change. I shall
think about this.
--
Alex Bligh
- [DNSOP] Fw: New Version Notification for draft-be… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification fordraft… George Barwood
- Re: [DNSOP] Fw: New Version Notification fordraft… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Mark Andrews
- Re: [DNSOP] Fw: New Version Notification for draf… Joe Abley
- Re: [DNSOP] Fw: New Version Notification for draf… bmanning
- Re: [DNSOP] Fw: New Version Notification for draf… Mark Andrews
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… David Conrad
- Re: [DNSOP] Fw: New Version Notification for draf… Joe Abley
- Re: [DNSOP] Fw: New Version Notification for draf… bmanning