Re: [DNSOP] meta issue: WG to discuss DNS innovation (was Re: draft-hzhwm-start-tls-for-dns-00)

Joe Abley <jabley@hopcount.ca> Mon, 17 February 2014 17:25 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9D041A00EE for <dnsop@ietfa.amsl.com>; Mon, 17 Feb 2014 09:25:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mM9_BLpWfw-C for <dnsop@ietfa.amsl.com>; Mon, 17 Feb 2014 09:25:11 -0800 (PST)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) by ietfa.amsl.com (Postfix) with ESMTP id 07DC81A00E6 for <dnsop@ietf.org>; Mon, 17 Feb 2014 09:25:10 -0800 (PST)
Received: by mail-ig0-f176.google.com with SMTP id r2so4304378igi.3 for <dnsop@ietf.org>; Mon, 17 Feb 2014 09:25:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=BqBbtQT6ro+6YCJml2ST0KOoGJdsLJNUu0VwzoELDfc=; b=B26/hUUCzTH8BQvSNB1yzp5ug95qTMljbuSa+/RG0Ww2BXWOHwCcotKc2FCcW+xruJ zQNhJ2O49lvPoiKexWiAH9C0tUh+4fA0BqpHFqVQYk1vtWVkm0pvN3Bx8FwnPO8/y5lM rfsEWDQ9MXTM/8B2Bw/RlLazFJItSQFp1KbWA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=BqBbtQT6ro+6YCJml2ST0KOoGJdsLJNUu0VwzoELDfc=; b=d3wsfHT09z6twJmB9J+TOqR2fjTzLh3Elrz7IEJsjvuXZEeWcdscO0xJTPa+b7JztO CY0Fo0XItUNFXl910Cg01bPHu0bbG2TMGkUvlbIEvhV0zgnFfvm/jDibfJ9D2ASobJYV 64SVOkQqOhN3VwdGRJvWNEaxRQ364B9nO8lQrsJiwtTcWM8R1MAfx6YRxg4YTvSRhRHW EaSIwjiNgEP4tbVUeFriTh12jXSxx/lkIrZzbgShh0EQiNsN1Tnx8Xe89fpi4i5GTNTA WcaIAKYUGvhM6C1iIhwrNvw+c2I0Jv1mgDNIUL9B2LZncF0X3Dce6M277NNjDVjUzEpG G9eA==
X-Gm-Message-State: ALoCoQkpZ4ngMW5af6XPCVpxx0C9WUZhgojZG0A7KJPRHtIZW39MPI34j9bLrpJBedu0RFHCQyov
X-Received: by 10.43.146.69 with SMTP id jx5mr2457757icc.42.1392657908391; Mon, 17 Feb 2014 09:25:08 -0800 (PST)
Received: from ?IPv6:2001:4900:1042:1:48b3:650a:3c8f:5c5b? ([2001:4900:1042:1:48b3:650a:3c8f:5c5b]) by mx.google.com with ESMTPSA id r6sm32911146igg.10.2014.02.17.09.25.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 17 Feb 2014 09:25:07 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_3A2287EA-6526-4D33-970A-9AD5D9BF8E1F"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <53023FC3.8060103@bogus.com>
Date: Mon, 17 Feb 2014 12:25:05 -0500
Message-Id: <925D6E92-99AE-4F78-AD83-2FE819600E6F@hopcount.ca>
References: <CAESS1RPh+UK+r=JzZ9nE_DUqcvNtZiS6TNt1CDN-C0uiU7HP=A@mail.gmail.com> <52FEF407.30405@redbarn.org> <20140215140133.GA6990@sources.org> <alpine.LFD.2.10.1402151449280.23619@bofh.nohats.ca> <D82F49E8-9A06-4F52-8E3E-DF5C8D0B7549@virtualized.org> <53006595.5010207@frobbit.se> <784CF51A-937B-4131-85BC-AED579FA746D@vpnc.org> <5300E9C5.9090702@frobbit.se> <DB47354C-AEBA-4861-8177-94993377E3E8@hopcount.ca> <53023FC3.8060103@bogus.com>
To: joel jaeggli <joelja@bogus.com>
X-Mailer: Apple Mail (2.1827)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/XiqcHzcS86qTX7LMdfEAq2mQY08
Cc: dnsop <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] meta issue: WG to discuss DNS innovation (was Re: draft-hzhwm-start-tls-for-dns-00)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2014 17:25:13 -0000

On 2014-02-17, at 11:58, joel jaeggli <joelja@bogus.com> wrote:

> On 2/16/14, 8:48 AM, Joe Abley wrote:
> 
>> We can't do anything that will cause larger responses, because EDNS
>> support is not widespread, and in any case the network can't reliably
>> deliver fragments.
> 
> in the context of reflection attacks (next paragraph) more packets is
> perhaps not the most helpful thing.

The problem to solve at the DNS end of the equation boils down to good enough client authentication to be able to distinguish between attack traffic and legitimate queries. The problem is not "how to stop putting things in the DNS".

Waiting for the universal implementation of the recommendations in BCP38 doesn't seem like the most proactive approach.


Joe