IETF Logo Mail Archive

[mif] New revision of DNS server selection

<teemu.savolainen@nokia.com> Thu, 11 November 2010 09:53 UTC

Return-Path: <teemu.savolainen@nokia.com>
X-Original-To: mif@core3.amsl.com
Delivered-To: mif@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D02253A6A41 for <mif@core3.amsl.com>; Thu, 11 Nov 2010 01:53:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q9Xua7RO4Fef for <mif@core3.amsl.com>; Thu, 11 Nov 2010 01:53:08 -0800 (PST)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 91D963A69D9 for <mif@ietf.org>; Thu, 11 Nov 2010 01:53:08 -0800 (PST)
Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx09.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id oAB9r5LY014949; Thu, 11 Nov 2010 03:53:36 -0600
Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 11 Nov 2010 11:53:29 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.5]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Thu, 11 Nov 2010 11:53:24 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Thu, 11 Nov 2010 10:53:23 +0100
From: teemu.savolainen@nokia.com
To: Ted.Lemon@nominum.com, haru@nishidaya.org
Date: Thu, 11 Nov 2010 10:53:23 +0100
Thread-Topic: New revision of DNS server selection
Thread-Index: AcuBfN6yzMluWmcCRNaeKNVV31c+0gAAdhcA
Message-ID: <18034D4D7FE9AE48BF19AB1B0EF2729F5F05D6EC7B@NOK-EUMSG-01.mgdnok.nokia.com>
References: <18034D4D7FE9AE48BF19AB1B0EF2729F5F05D02AEE@NOK-EUMSG-01.mgdnok.nokia.com> <29F4CEED-DB30-4A4B-8CDF-AB43B576DE01@nominum.com> <18034D4D7FE9AE48BF19AB1B0EF2729F5F05D02AF6@NOK-EUMSG-01.mgdnok.nokia.com> <5390F566-8150-450B-BD5A-C2636EABE128@nominum.com> <18034D4D7FE9AE48BF19AB1B0EF2729F5F05D6EA16@NOK-EUMSG-01.mgdnok.nokia.com> <99962D6D-2626-4B66-B996-DE6FA05B9BF8@nominum.com> <4F099E7F-800E-4F5E-96E5-9BD7FBF23BF2@nishidaya.org> <B21EAB17-ADA5-40FF-AA14-24D636B795F3@nominum.com> <FAEB3290-FF11-499C-AB9B-C3919B95E47B@nishidaya.org> <842EACF2-ADE7-434E-8F64-A5F65AA9893C@nominum.com>
In-Reply-To: <842EACF2-ADE7-434E-8F64-A5F65AA9893C@nominum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-puzzleid: {2066ADB9-5606-4F61-9A74-04EEF4147D25}
x-cr-hashedpuzzle: ADgy CAE7 CqWI DKvc GhKJ JFXP Kqs8 N0KP OzEv Pxuc ReOy TzOz UmVy Y28D ZS7C bmtM; 3; aABhAHIAdQBAAG4AaQBzAGgAaQBkAGEAeQBhAC4AbwByAGcAOwBtAGkAZgBAAGkAZQB0AGYALgBvAHIAZwA7AHQAZQBkAC4AbABlAG0AbwBuAEAAbgBvAG0AaQBuAHUAbQAuAGMAbwBtAA==; Sosha1_v1; 7; {2066ADB9-5606-4F61-9A74-04EEF4147D25}; dABlAGUAbQB1AC4AcwBhAHYAbwBsAGEAaQBuAGUAbgBAAG4AbwBrAGkAYQAuAGMAbwBtAA==; Thu, 11 Nov 2010 09:03:46 GMT; TgBlAHcAIAByAGUAdgBpAHMAaQBvAG4AIABvAGYAIABEAE4AUwAgAHMAZQByAHYAZQByACAAcwBlAGwAZQBjAHQAaQBvAG4A
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Nov 2010 09:53:24.0477 (UTC) FILETIME=[480F8AD0:01CB8186]
X-Nokia-AV: Clean
Cc: mif@ietf.org
Subject: [mif] New revision of DNS server selection
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 09:53:10 -0000

Hi,

I made some changes and posted a quick -05 http://www.ietf.org/id/draft-savolainen-mif-dns-server-selection-05.txt with things I had in my mind at this point.

Inline:

> There are two cases, one where one provider gives the client
> information that causes it to act against the interests of the owner of
> the mif node in the sense of using the wrong network for access, and

But then elsewhere people say network knows always better:) I'm confused of IETF:)

The user can fallback to use single interface. 

> the other where an attacker tricks the client into sending messages for
> a particular subdomain through it, while leaving the rest of the DNS
> service untouched.

The latest draft now recommends using DNSSEC to validate responses. Of course attacker can still *route* packets (and cause user to go to external side of www.corporation.com instead of internal?-)

> Because there is no mechanism for authenticating or authorizing this
> option, there is no way to prevent this from happening.

In some scenarios the uplinks are always trusted (BBF). Sometimes you can administratively limit which interfaces to trust.

v2.23.0 | Report a Bug | By Email