IETF Logo Mail Archive

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

Jeroen Massar <jeroen@unfix.org> Thu, 16 July 2009 14:34 UTC

Return-Path: <jeroen@unfix.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB0563A6D6D for <dnsop@core3.amsl.com>; Thu, 16 Jul 2009 07:34:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XvZMhnXfBObx for <dnsop@core3.amsl.com>; Thu, 16 Jul 2009 07:34:37 -0700 (PDT)
Received: from abaddon.unfix.org (abaddon.unfix.org [194.1.163.39]) by core3.amsl.com (Postfix) with ESMTP id 8E1353A6A1E for <dnsop@ietf.org>; Thu, 16 Jul 2009 07:34:29 -0700 (PDT)
Received: from [IPv6:2001:620:20:1001:216:d3ff:fe25:14da] (spaghetti.zurich.ibm.com [IPv6:2001:620:20:1001:216:d3ff:fe25:14da]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id B811A401FE4; Thu, 16 Jul 2009 14:43:50 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.95.2 at abaddon
Message-ID: <4A5F2085.9000707@spaghetti.zurich.ibm.com>
Date: Thu, 16 Jul 2009 14:43:49 +0200
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 Lightning/0.9 Thunderbird/2.0.0.22 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
References: <C6849631.EF40%Jason_Livingood@cable.comcast.com>
In-Reply-To: <C6849631.EF40%Jason_Livingood@cable.comcast.com>
X-Enigmail-Version: 0.95.7
OpenPGP: id=333E7C23
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigB953DA748855BF3D00B48F43"
Cc: Andreas Gustafsson <gson@araneus.fi>, dnsop@ietf.org
Subject: Re: [DNSOP] Review of draft-livingood-dns-redirect-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2009 14:34:37 -0000

Livingood, Jason wrote:
>> TLDs, including your own zones.  This is indeed not just Site Finder
>> all over again - it's far worse, and breaks far more applications than
>> Site Finder did.
> 
> Please do send me that list of applications.  I would very much like to
> describe these use cases in the next version of the draft.

Please list "The Internet" as one of them, it kinda encompasses a lot of
others too. I am *VERY* happy that DNSSEC is moving along perfectly fine
which will kill any kind of changing DNS results.

Just a little example that even clued operators(*)  get it wrong:
https://lists.dns-oarc.net/pipermail/dns-operations/2009-July/004217.html

Btw it also does it for IPv4 IPs:
$ dig +short @208.67.220.220 127.0.0.1
67.215.65.132
$ dig +short @208.67.220.220 1.2.3.4
67.215.65.132

For that matter when the Internet in general gets too filtered by the
ISPs in the middle, people will start using other methods.
Crypting&signing data to avoid modification will be the first steps.
Those kind of applications, like BitTorrent which is a great example
will rise outside of any IETF and get deployed and there is nothing that
an ISP will be able to do about it unless they wall-garden the whole
thing to just allow direct talking to specific servers and nothing else,
but that won't be the Internet anymore of course....

Greets,
 Jeroen

* = IMHO OpenDNS folks are doing a good job and they definitely know
about the technical problems/challenges involved in the service they are
providing, but they, like everybody else, are simply unable to catch all
problems and foresee how applications (mis)use the DNS.

v2.23.0 | Report a Bug | By Email