Re: [DNSOP] Fw: New Version Notification for draft-shane-review-dns-over-http-00.txt
神明達哉 <jinmei@wide.ad.jp> Tue, 08 December 2015 19:01 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0491A1B61 for <dnsop@ietfa.amsl.com>; Tue, 8 Dec 2015 11:01:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngSGGQ5pgaX2 for <dnsop@ietfa.amsl.com>; Tue, 8 Dec 2015 11:01:17 -0800 (PST)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBA371A1B5A for <dnsop@ietf.org>; Tue, 8 Dec 2015 11:01:16 -0800 (PST)
Received: by ioir85 with SMTP id r85so34250237ioi.1 for <dnsop@ietf.org>; Tue, 08 Dec 2015 11:01:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=BhLnag1S85/zgRs6ql3mmvF492byqkSqUgHgSo91T+Y=; b=PZJ/zkdM5VZ11DgX9tEQciJnm1dV9RFJFxckF59DGXchNEjToirr6xyg4d01v08EmI VnKsB74EMzIooh57hiY+oJwKqiYfY+YtKA9jMu6CTz00xw8vaoCIw8vL6xP7ILssmmmr I8IPHT7HMd8MIURKIBd/9cnKRoD70RNGtZnnce9AkFGLX8a5sMtF9zO5gwCN95cP//FS aZ0aM/AbsuXAxSUpOQOhh7P2f9oWiyOLaFfTmnGoSxhyxVZ6LLGiIZNQSL4JV1+aK2ZS NwwY6iipXRHxEyYUwZyluyaxZOkERy3GcmPFBAnAXDJaXysGUnyKQJSpEiF42fn4sKAG VdSQ==
MIME-Version: 1.0
X-Received: by 10.107.184.9 with SMTP id i9mr1671952iof.4.1449601276313; Tue, 08 Dec 2015 11:01:16 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.47.217 with HTTP; Tue, 8 Dec 2015 11:01:16 -0800 (PST)
In-Reply-To: <20151208141116.15e1dcb0@pallas.home.time-travellers.org>
References: <20151208141116.15e1dcb0@pallas.home.time-travellers.org>
Date: Tue, 08 Dec 2015 11:01:16 -0800
X-Google-Sender-Auth: FAoaOeuZRGppPt7Z8WB6yZ2wkUs
Message-ID: <CAJE_bqfW-e5eiKR7xG5w-ykR58KFjaTySE4-aRSdJZXZ13M9gw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Shane Kerr <shane@time-travellers.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/X9d_HIpoE46a4SHW8F92B3qMeYI>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Fw: New Version Notification for draft-shane-review-dns-over-http-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2015 19:01:18 -0000
At Tue, 8 Dec 2015 14:11:16 +0100, Shane Kerr <shane@time-travellers.org> wrote: > As I mentioned a while ago, we have been working on a document to > describe the various ways of (ab)using HTTP to transmit DNS traffic. We > have finished a -00 draft, and I would appreciate it if you had a look > and see if it makes sense. I've read the draft. I think it contains some useful information, but I don't have a particular opinion on whether this should be adopted as a dnsop wg document - I'm not sure if it fits the charter of the wg. Some comments on the draft (mostly editorial): - Section 1 o Case 2: Clients may want to chose a resolver other than the one locally available. This doesn't necessarily seem to lead to DNS/HTTP; unless packets using port 53 are blocked, clients can freely use other resolvers. So isn't it essentially the same as case 1? - Section 2.1 [...] The difference between port 80 and 443 is that the traffic of port 80 is usually intercepted as HTTP traffic while the traffic of port 443 is usually considered to be encrypted, [...] I first thought 'intercepted' should probably be 'interpreted'. On reading toward the end of the doc I now see that is actually the intent, but to avoid such confusion it might help if you say, e.g. 'usually intercepted as HTTP traffic for purposes as deeper inspection' - Section 2.2 s/coming/becoming/ ? [...] Second, it prevents resolvers from coming amplifier of reflection attack. - Section 2.4 s/cause/because/ ? [...] The support of DNSSEC might also be a problem cause the response usually do not contain RR records with the answer, making it impossible for a client to validate the reply. -- JINMEI, Tatuya