IETF Logo Mail Archive

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

"Livingood, Jason" <Jason_Livingood@cable.comcast.com> Mon, 13 July 2009 14:02 UTC

Return-Path: <jason_livingood@cable.comcast.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EAAD328C442 for <dnsop@core3.amsl.com>; Mon, 13 Jul 2009 07:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.337
X-Spam-Level:
X-Spam-Status: No, score=-1.337 tagged_above=-999 required=5 tests=[AWL=3.662, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_HI=-8, RCVD_NUMERIC_HELO=2.067]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZIQNl-itqvi for <dnsop@core3.amsl.com>; Mon, 13 Jul 2009 07:02:49 -0700 (PDT)
Received: from pacdcimo01.cable.comcast.com (PacdcIMO01.cable.comcast.com [24.40.8.145]) by core3.amsl.com (Postfix) with ESMTP id D4D9128C126 for <dnsop@ietf.org>; Mon, 13 Jul 2009 07:02:48 -0700 (PDT)
Received: from ([24.40.15.92]) by pacdcimo01.cable.comcast.com with ESMTP id 5503620.45358661; Mon, 13 Jul 2009 10:02:48 -0400
Received: from PACDCEXCMB04.cable.comcast.com ([24.40.15.86]) by PACDCEXCSMTP03.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 13 Jul 2009 10:02:49 -0400
Received: from 198.137.252.126 ([198.137.252.126]) by PACDCEXCMB04.cable.comcast.com ([24.40.15.86]) via Exchange Front-End Server webmail.comcast.com ([198.137.252.76]) with Microsoft Exchange Server HTTP-DAV ; Mon, 13 Jul 2009 14:02:22 +0000
User-Agent: Microsoft-Entourage/12.19.0.090515
Date: Mon, 13 Jul 2009 10:02:23 -0400
From: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
To: Roy Arends <roy@dnss.ec>
Message-ID: <C680B6AF.EB2A%Jason_Livingood@cable.comcast.com>
Thread-Topic: [DNSOP] Review of draft-livingood-dns-redirect-00
Thread-Index: AcoDkbHakpfBd3OOQc6DpVGpLkvUCQAMNmAs
In-Reply-To: <F9F06CCE-0E2C-4976-B3DC-83C2B1519BFD@dnss.ec>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3330324144_391398"
X-OriginalArrivalTime: 13 Jul 2009 14:02:49.0863 (UTC) FILETIME=[9B5DB970:01CA03C2]
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Review of draft-livingood-dns-redirect-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2009 14:02:55 -0000

Good feedback, which I will take into consideration for our ­01 revision.
Please do note that Section 10 is definitely immature, as we noted in the
Open Issues (#5) in Appendix B.  We¹ll be developing this section quite a
bit.

Thanks
Jason


On 7/13/09 4:12 AM, "Roy Arends" <roy@dnss.ec> wrote:

> On Jul 9, 2009, at 5:23 PM, Livingood, Jason wrote:
> 
>> > I submitted this draft, which you can find at
>> http://tools.ietf.org/html/draft-livingood-dns-redirect-00
>> > , before the ­00 cutoff on Monday, and it will be discussed in the
>> > DNSOP WG meeting at IETF 75 (it is listed on the agenda).
>> >
>> > If anyone is interested and has time before IETF 75, I¹m happy to
>> > take feedback before then obviously.  Please note that there is a
>> > list of open items at the end, which we plan to address in
>> > subsequent versions.
> 
> This part of section 10 is troublesome:
> 
>      So the only case where DNS security extensions cause problems for
> DNS Redirect is with a validating stub resolver. This case doesn't
> have widespread deployment now and could be mitigated by using trust
> anchor, configured by the applicable ISP or DNS ASP, that could be
> used to sign the redirected answers.
> 
> This mitigation strategy just doesn't work, and for a very good
> reason, as it allows a downgrade attack.
> 
> As for the rest of the document, I think it overloads the term
> "redirection" by incorporating lawfully mandated filtering (whatever
> that means), and therefor wrongly justifying this practice altogether.
> 
> In general, this kind of muddling with the DNS protocol assumes that
> the sole purpose of the DNS is to allow a web-browser find the address
> of a web-server. Clearly it is not.
> 
> There are alternatives. I run unbound from my laptop. Windows users
> can do too: http://unbound.net/downloads/unbound_setup_1.3.1.exe
> 
> Other alternatives are OARC's ODVR:
> https://www.dns-oarc.net/oarc/services/odvr
> 
> Kind regards,
> 
> Roy Arends
>

v2.23.0 | Report a Bug | By Email