Re: [DNSOP] Fw: New Version Notification fordraft-bellis-dns-recursive-discovery-00

"George Barwood" <george.barwood@blueyonder.co.uk> Fri, 16 October 2009 23:39 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6D043A6808 for <dnsop@core3.amsl.com>; Fri, 16 Oct 2009 16:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.505
X-Spam-Level: ***
X-Spam-Status: No, score=3.505 tagged_above=-999 required=5 tests=[AWL=2.244, BAYES_20=-0.74, HELO_EQ_BLUEYON=1.4, HTML_MESSAGE=0.001, J_CHICKENPOX_54=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnZZbBeAWCUR for <dnsop@core3.amsl.com>; Fri, 16 Oct 2009 16:39:18 -0700 (PDT)
Received: from smtp-out5.blueyonder.co.uk (smtp-out5.blueyonder.co.uk [195.188.213.8]) by core3.amsl.com (Postfix) with ESMTP id 5A4BE3A6405 for <dnsop@ietf.org>; Fri, 16 Oct 2009 16:39:17 -0700 (PDT)
Received: from [172.23.170.138] (helo=anti-virus01-09) by smtp-out5.blueyonder.co.uk with smtp (Exim 4.52) id 1MywOF-0001tX-IX; Sat, 17 Oct 2009 00:39:19 +0100
Received: from [82.46.70.191] (helo=GeorgeLaptop) by asmtp-out5.blueyonder.co.uk with esmtpa (Exim 4.52) id 1MywOE-0002pB-Eu; Sat, 17 Oct 2009 00:39:18 +0100
Message-ID: <F0D57E200C31486599A2D98B8A1601A1@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: dnsop@ietf.org, Ray.Bellis@nominet.org.uk
References: <OFA656600E.F5229B3D-ON80257650.005247BF-80257650.00527644@nominet.org.uk>
Date: Sat, 17 Oct 2009 00:39:06 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_022B_01CA4EC2.3BEFE580"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Subject: Re: [DNSOP] Fw: New Version Notification fordraft-bellis-dns-recursive-discovery-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2009 23:39:19 -0000

Ray,

I have read the draft, found no problems other than the missing security considerations
( I don't see any particular security considerations ), and fully support it.

Did you consider a "referral" model using NS records?

LOCAL.ARPA.    9000    NS    A.LOCAL.ARPA.
LOCAL.ARPA.    9000    NS    B.LOCAL.ARPA.

A.LOCAL.ARPA.    9000    A    1.2.3.4
B.LOCAL.ARPA.    9000    A    2.3.4.5

I think this may be cleaner, it allows multi-homed servers to be properly distinguished
( you shouldn't try an alternate address until other servers have been tried ), and
seems closer to the normal DNS representation of name servers.

A simplistic client can still just save all the A records, and ignore the names.

This may be significant if the glue types are extended in future to supply other link-local
parameters, for example the DNS transport protocols supported, or a link-local public key.
Although this is not a fully secure way to acquire a local public key, it does raise the bar for
an in-path attacker, and clients could warn users if a link-local public key changes.

I also note that using LOCALHOST, or a sub-domain of LOCALHOST, would avoid
non-local queries being sent by servers that are not aware of LOCAL.ARPA. Which
is the most appropriate domain to use I am unable to judge.

Regards,
George

----- Original Message ----- 
From: Ray.Bellis@nominet.org.uk 
To: dnsop@ietf.org 
Sent: Thursday, October 15, 2009 4:00 PM
Subject: [DNSOP] Fw: New Version Notification fordraft-bellis-dns-recursive-discovery-00


I've just submitted the following draft. 

--8<--8<-- 
A new version of I-D, draft-bellis-dns-recursive-discovery-00.txt has been successfuly submitted by Ray Bellis and posted to the IETF repository.

Filename:                  draft-bellis-dns-recursive-discovery
Revision:                  00
Title:                         DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA
Creation_date:                  2009-10-15
WG ID:                           Independent Submission
Number_of_pages:        9

Abstract:
This document describes a method for a DNS client resolver to
discover the IP addresses of the upstream recursive DNS resolvers and
hence bypass the local DNS proxy.  It also directs IANA to reserve
the "LOCAL.ARPA" domain name and to create a registry for well known
sub-domains of that domain name, such sub-domains being reserved for
use within any network's administrative boundary.
--8<--8<-- 

The draft is available for download at http://tools.ietf.org/html/draft-bellis-dns-recursive-discovery-00 

Ray 

-- 
Ray Bellis, MA(Oxon) MIET
Senior Researcher in Advanced Projects, Nominet
e: ray@nominet.org.uk, t: +44 1865 332211





--------------------------------------------------------------------------------


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop