IETF Logo Mail Archive

Re: [DNSOP] draft-adpkja-dnsop-special-names-problem-01

"John R Levine" <johnl@taugh.com> Wed, 30 March 2016 02:17 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4604212DB57 for <dnsop@ietfa.amsl.com>; Tue, 29 Mar 2016 19:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=LH3M3YFj; dkim=pass (1536-bit key) header.d=taugh.com header.b=hFozBy6T
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9r3Wt2fPhWvJ for <dnsop@ietfa.amsl.com>; Tue, 29 Mar 2016 19:17:09 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6681B12D1C7 for <dnsop@ietf.org>; Tue, 29 Mar 2016 19:17:09 -0700 (PDT)
Received: (qmail 45564 invoked from network); 30 Mar 2016 02:17:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=b1fb.56fb3724.k1603; bh=r+ebTySvdksSfVty5geSLmef5eTS4f9Db3z9GkMmcRM=; b=LH3M3YFjLc6b1QINGjJ9DPfX+JxnpMEaXP3EpojLrMszT/t2BbW+ZVlG/adhqLvJmvaOCX/wRIvvEIAyffqRma1oK0jQWZOOWUeBy38pFMi9Cefsbd8HT03kRotvZqXzAK1qHca6u3OQYXLtJU1ctTJLUM/NB0PT3wXrI9FPbNc2etrRhEvO+5rlimYIYs+KrqdhQXxT2Hg1uqkYU5OCBYU9qaAHJR/e/c1d5+1mXwdvOhSJUouMii3Y5hWjY34R
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=b1fb.56fb3724.k1603; bh=r+ebTySvdksSfVty5geSLmef5eTS4f9Db3z9GkMmcRM=; b=hFozBy6ToeIzivfcfy0iRh8L3g0CRCC1hbeCQ0J0SPqONZgCG49ndSNWiAwUN1EEm1eUEivNB+ieuYxsmP9sqc2vhyuNt9FStzd8iVwqs2BDXj3a5ikcUmIOrpKYRirPApWRx1J5r1NTeApJqWpIILIwNiU7KpGD4Ry/5fUFg9jtUzAIjK9ZtMqN/E6s2TGAZTHRQPLYOMOrcLJePaytQDOxEyRbU/8j9E0E5KiKpP2ZPXvpjKgpv7T+0VEm7RFR
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 30 Mar 2016 02:17:08 -0000
Date: Tue, 29 Mar 2016 22:17:07 -0400
Message-ID: <alpine.OSX.2.11.1603292212470.42318@ary.lan>
From: John R Levine <johnl@taugh.com>
To: Adrien de Croy <adrien@qbik.com>
In-Reply-To: <em2f8e8bdb-6863-4417-9c08-be3446d1486f@bodybag>
References: <em2f8e8bdb-6863-4417-9c08-be3446d1486f@bodybag>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/g1RegpoMdxpBoJqS2rxQVsfAIm8>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-adpkja-dnsop-special-names-problem-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2016 02:17:11 -0000

>> I have to say I'm startled to see that people here aren't aware that
>> .onion is entirely handled in applications.
>
> a google search for "DNS .onion leaks" comes up with many links, many 
> relating to reported bugs in browsers.

Yeah, that's why it'd be nice if the DNS resolver rejected them rather 
than telling the world what you were trying to look for in .onion land.

> So I don't know if we can truly claim that resolvers are being shielded from 
> .onion by the applications.  Maybe it's better now, it would be interesting 
> if Symantec were to update this.

They aren't.  That's why it'd be nice to make that bug less leaky.

>> don't leak into the DNS.  The only thing that anyone's asking DNS
>> developers to do is to fail .onion requests rather than forwarding
>> them along.
> That's the problem.  Creating new requirements for DNS developers to do 
> anything at all is a huge problem.

It's not a requirement.  It's a request.  I expect it's a lot easier than 
whatever you have to do to deal with .local.  If we adopt .alt, you can 
stub that out too and with any luck you're done.

> Having said that, I wish there was a way with a single DNS lookup one could 
> resolve both/either IPv4 and/or IPv6 addresses from a name with a single 
> query (e.g. the "give me any version address" query), rather than having to 
> make 2 lookups and fail over etc.  Would basically halve the amount of DNS 
> traffic on the network and resolve a lot of pathological cases.

Surely you've been reading the draft-vavrusa-dnsop-aaaa-for-free thread.

R's,
John

v2.23.0 | Report a Bug | By Email