Re: [dnsoverhttp] New draft: draft-hoffman-dns-over-http-00.txt
Ted Hardie <ted.ietf@gmail.com> Thu, 22 September 2016 16:38 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: dnsoverhttp@ietfa.amsl.com
Delivered-To: dnsoverhttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id D73C512DABC
for <dnsoverhttp@ietfa.amsl.com>; Thu, 22 Sep 2016 09:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hptwB4em6Kyj for <dnsoverhttp@ietfa.amsl.com>;
Thu, 22 Sep 2016 09:38:14 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com
[IPv6:2607:f8b0:4003:c06::232])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id DEECB12DA8A
for <dnsoverhttp@ietf.org>; Thu, 22 Sep 2016 09:36:59 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id t83so104044872oie.3
for <dnsoverhttp@ietf.org>; Thu, 22 Sep 2016 09:36:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=RnDT19iaah9rSb8eXsgkBxHI64REnbneJEthwrY7nbU=;
b=POonI3K0zVclCnANP7EZizJ9o+Dp2+RvGvq/10bRQJYrz9ZMmTTXxB7F+VBDjIgxAL
JcX1MRdUjcuml6mVc80oSjw4S8uYdAVlmn+LLUF6OtBvdfTHso8vrwErSIT01IOwx6La
6v7cnyQ9lAc74ayOgr1ORQQN1nFpoXiNs54uE5nURMDDxmGrAYyWavP2x06lQi7tIOUU
jO3tVLe/wyjBSH+lY9nYpXc+EyYtVUn4ftDCurFUXZkrtiKuigv6AHM03M9Coi7eluAQ
Y7Q/aduFy8nq0FQYnItZSrNR/ZbHILDRjuO8fbQgvI5ENDEgIZatNOUm/Ykb/0CPbxux
r/Dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=RnDT19iaah9rSb8eXsgkBxHI64REnbneJEthwrY7nbU=;
b=cxrACZ40VuT0jmvby/303xibQRbgsR5UC9jTC9Iz0szrpKQZ5uEcAB0Wjaf+Kypqih
p4Rta9wAeZMZ0gNwBR72p8TcSnnxzn4pLKKsrT8UG+aYjWMyCAifj5E1omfTx923b8u2
1tJj1lD7oX3zXTSQctDCHeoKvescXtboMzIlpTKPnGtgqyuIPrntXvYNnw9Oc/b3CBUh
bjaTwtV6CMJ4gddQ+63ZGk5qAP+ctK4/VoTvPYtI9ucT0gBge0c5iDBrB/9F2vnjjJfu
1GMm6LnVsvHxgrtsN0u6xZFpbEdnuEwaBYLTxg3HJL2NwRUA2BQyVVxbRUi14HB0l72U
B+QQ==
X-Gm-Message-State: AE9vXwNcgZgjSKouSkET/CO3td6/gaY4LQGpR0315UB4RS7Eii+3ShT/7Bn0Rh+i9L/nglRDGimzoJQFQp7tNQ==
X-Received: by 10.202.72.83 with SMTP id v80mr3550586oia.67.1474562219277;
Thu, 22 Sep 2016 09:36:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.85.72 with HTTP; Thu, 22 Sep 2016 09:36:28 -0700 (PDT)
In-Reply-To: <CABkgnnWSRP=9GxK74O2Z4mE_Hu55snxtg-vTZoQ_K3hvnmO4qQ@mail.gmail.com>
References: <147438228195.28999.4355943522486567954.idtracker@ietfa.amsl.com>
<D1E3CC44-FE5A-4ACE-90A1-EF9B5EE975D7@icann.org>
<CA+9kkMATL4RVv=RCmS0nqks2OWB1aQSeNcZ_-zyqHBnv5eYmLg@mail.gmail.com>
<AF616D4B-A22B-4CB7-AD20-29B4E6107276@icann.org>
<CA+9kkMCsX9=+uWmAAydW5yuda_Jzs+qX6MBZBq0ztQKOsEDndQ@mail.gmail.com>
<14CE5326-52FD-405F-A17F-1BBE5FC32929@icann.org>
<CA+9kkMBqN8Y-h27C7Cde4omO9jLsYpvhsyieFfG9YyS9+K_j9g@mail.gmail.com>
<CABkgnnUnKezkspqFBW4JFaQr2q4=BmUTwy3MWEtF62rt_TvCRQ@mail.gmail.com>
<CA+9kkMBx=5GHrm5ogJRTXRwi6dGe3=VxH-mUW0pjc3MXfqPpow@mail.gmail.com>
<CABkgnnWSRP=9GxK74O2Z4mE_Hu55snxtg-vTZoQ_K3hvnmO4qQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 22 Sep 2016 09:36:28 -0700
Message-ID: <CA+9kkMAUi+ZpTS6-8+mHexG_zvovwCdi6YpHz65bcZTbMXURig@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=001a113daefc47821c053d1b4586
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsoverhttp/-BWqFFOdIr5uu9JAkG8PNl0m0CY>
Cc: "dnsoverhttp@ietf.org" <dnsoverhttp@ietf.org>,
Paul Hoffman <paul.hoffman@icann.org>
Subject: Re: [dnsoverhttp] New draft: draft-hoffman-dns-over-http-00.txt
X-BeenThere: dnsoverhttp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of DNS over HTTP <dnsoverhttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsoverhttp>,
<mailto:dnsoverhttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsoverhttp/>
List-Post: <mailto:dnsoverhttp@ietf.org>
List-Help: <mailto:dnsoverhttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsoverhttp>,
<mailto:dnsoverhttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2016 16:38:16 -0000
On Wed, Sep 21, 2016 at 6:24 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 22 September 2016 at 03:21, Ted Hardie <ted.ietf@gmail.com> wrote: > > You'll get a different answer if you make another request using a > different > > method or DNS API server. > > Well, you might assume that the last response is the best, otherwise > we're into the whole "man with two clocks" paradigm of protocol > engineering. Sorry, I apparently wasn't clear. The point I was making was in response to your statement in this part of the thread: Ted: That can't be corrected by DNSSEC, since it is correctly signed. > > Martin: It can be corrected by making another request. > > I was trying to point that in order to test this using your method you have to have access to a different DNS API server or a different protocol with the same security properties (e.g. DNS over TLS or DNS over DTLS). Using either of those test methods is also going to be bad for latency, so it is not going to happen in the common case, unless we explicitly scope things so that it does. You could imagine, for example, a server marking an answer as reusable and the client testing those before moving them from a context-specific cache to a general cache. I think the safest thing to do is to treat all of these answers as explicitly scoped to the context in which they were received, but that's actually a big change to the consistency model. It's also not really fixable with the usual DNS TTL tricks, because the action required is "ask a different server" not "ask again". Re-asking the same server at TTL expiration doesn't improve the security properties at all. Hope that is clearer, Ted
- [dnsoverhttp] New draft: draft-hoffman-dns-over-h… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Paul Hoffman
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Patrick McManus
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Ted Hardie
- Re: [dnsoverhttp] New draft: draft-hoffman-dns-ov… Martin Thomson