Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document

Keith Moore <moore@network-heretics.com> Fri, 21 October 2011 15:31 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCA6D1F0C86; Fri, 21 Oct 2011 08:31:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.725
X-Spam-Level:
X-Spam-Status: No, score=-3.725 tagged_above=-999 required=5 tests=[AWL=-0.127, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJC+7-eR9wM8; Fri, 21 Oct 2011 08:31:40 -0700 (PDT)
Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by ietfa.amsl.com (Postfix) with ESMTP id DEA8E1F0C6F; Fri, 21 Oct 2011 08:31:39 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 8D08920ED3; Fri, 21 Oct 2011 11:31:34 -0400 (EDT)
Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute5.internal (MEProxy); Fri, 21 Oct 2011 11:31:34 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; s=smtpout; bh=RJ8 /hnttN06bpudUkmxXY+8hH9M=; b=PFb+3ysonRxnPG/EvBeDnSfHXinPKZW7Tjm CFMB37t3ClqFtPZa3e7ez8i08VjpVHebMJ8MpODdYX8XLqbjq7nOM1p4ylEPDvG2 tJwk7Hzw13eNqTaQBLC7pyvSK3jmZz87DFUC1nr8T0mC9a6HJX0NLa4S2+5Shxz7 NADCl5ZU=
X-Sasl-enc: BzEFGSjkiIBbwK80rQASp2a9o7T/Qd5G2tJt+7/7ULLg 1319211093
Received: from [192.168.1.16] (host65-16-145-177.birch.net [65.16.145.177]) by mail.messagingengine.com (Postfix) with ESMTPA id F2938408C18; Fri, 21 Oct 2011 11:31:32 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary=Apple-Mail-69--546033778
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <F932CA9C-3489-48AC-A454-5B7A91CF129A@nominum.com>
Date: Fri, 21 Oct 2011 11:31:06 -0400
Message-Id: <1DF30BB4-76DB-427A-8ACF-A345BAE26FA6@network-heretics.com>
References: <COL118-W55403198A984BAAE44BA47B1F70@phx.gbl> <916CE6CF87173740BC8A2CE44309696203782D75@008-AM1MPN1-037.mgdnok.nokia.com> <121DABD1-65E8-4275-8471-9FA38D25C434@nominet.org.uk> <916CE6CF87173740BC8A2CE44309696203783EE0@008-AM1MPN1-037.mgdnok.nokia.com> <4EA09791.8010705@gmail.com> <C8398996-79B5-437E-82A5-6B869ECF8F4E@network-heretics.com> <94C2E518-F34F-49E4-B15C-2CCCFAA96667@virtualized.org> <12477381-9F74-4C50-B576-47EE4322F6BC@network-heretics.com> <CAH1iCiqsN-R87VK3vKityPsY+NXA=0DRASYf_vmBSy8gvYwHdQ@mail.gmail.com> <916CE6CF87173740BC8A2CE44309696203784B27@008-AM1MPN1-037.mgdnok.nokia.com> <708F3212-3C9C-4B61-AA77-EFA8F1CA5B04@nominum.com> <30B1AE01-0A35-48D2-91AF-46FC8B60466C@network-heretics.com> <F932CA9C-3489-48AC-A454-5B7A91CF129A@nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1084)
Cc: DHC WG <dhcwg@ietf.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, "<mif@ietf.org>" <mif@ietf.org>, dnsext List <dnsext@ietf.org>
Subject: Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2011 15:31:41 -0000

On Oct 21, 2011, at 11:19 AM, Ted Lemon wrote:

> On Oct 21, 2011, at 11:13 AM, Keith Moore wrote:
>> IMO: search lists are useful, but only with "bare names" - and the behavior of those should be implementation dependent.  Trying to nail it down will break too much widespread practice.
> 
> On a desktop workstation they are useful, because you can largely trust the security of the physical network.   On mobile nodes, though, they are harmful, because they open up a really easy avenue for exploit.

True.  But unsecured DNS is easily exploited regardless of whether bare names are used.  (and I've never bought the idea that DNSSEC verification can reasonably be done by an external host)

(When I think about things, I generally assume that nearly all nodes are mobile, because that's clearly the way things are going.  I expect that desktop workstations - in the sense of hosts that serve individual users and have fixed locations in the network - will be almost nonexistent in a very short time.  They don't need to be special-cased.)

> On MIF nodes, they also open up potential for mistakes.   So if we are to meet the spirit of your request here, it will still require a document describing what the mistakes are, and providing advice on how to avoid them.

Understood.   I just think it's going to be tricky to do that without breaking a lot of existing behavior.  But in principle, there's nothing wrong with describing security vulnerabilities and workarounds for those.

Keith