IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Nicholas Weaver <nweaver@icsi.berkeley.edu> Sat, 01 October 2011 14:58 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1C321F95CF; Sat, 1 Oct 2011 07:58:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317481116; bh=Sqh2w2mXbP6ktWuSLvnMRLLFjHHw42mn975GHBkSCsg=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=Zt46utvluNWap3bYFwjHO3hWhcWTw8TiGWJ//lh1XNSr4DXOJIuLVIXLtKpJ/oMOo FYejVWvYX6NT0xikV0mKgHNilHbQ1iNsA98TV++jzaVTsX0kjB3/PywXmaBinniXxM mOXij69IF2O2WLIj8xd4RNqMCgVpEzS5rrs/aEeQ=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52F3721F95CF for <dnsext@ietfa.amsl.com>; Sat, 1 Oct 2011 07:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogX-2CBI1AWh for <dnsext@ietfa.amsl.com>; Sat, 1 Oct 2011 07:58:34 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id CB92621F95CD for <dnsext@ietf.org>; Sat, 1 Oct 2011 07:58:34 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id E0A412C4016; Sat, 1 Oct 2011 08:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wz4hEIYjbbyx; Sat, 1 Oct 2011 08:01:31 -0700 (PDT)
Received: from [10.0.1.2] (c-76-103-166-40.hsd1.ca.comcast.net [76.103.166.40]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 707172C4002; Sat, 1 Oct 2011 08:01:31 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <201110010458.26859.vixie@isc.org>
Date: Sat, 1 Oct 2011 08:01:33 -0700
Message-Id: <D3890C96-DA07-4BA1-AB57-1A81EA2ED477@icsi.berkeley.edu>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <0394FB3B-6C2B-4D47-B1FA-AA54B7EB1053@kirei.se> <DDD7529C-9EF3-427F-AF90-2872CCD71ECF@cisco.com> <201110010458.26859.vixie@isc.org>
To: Paul Vixie <vixie@isc.org>
X-Mailer: Apple Mail (2.1244.3)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Sep 30, 2011, at 9:58 PM, Paul Vixie wrote:
> I like the binary format first proposed here by Edmonds.  I'm not as sure 
> about Jakob's "use the accept headers to determine the format" idea since the 
> only reason I wanted a printable format was so I could debug with "telnet".  
> All clients, even those written in javascript, already know how to handle 
> "plain old DNS wire format".  I truly do only expect this transport to be used 
> when the normal UDP/53 and TCP/53 paths are middlebox-corrupted.
> 
> Assuming that Mohan agrees with me on "just use wire format" in the response, 
> my observation is, we should not be using GET at all, nor should we be 
> encoding the query into the URI.  We should use POST and our request body 
> should be in DNS wire format.  This would defeat web caches but I think that's 
> fine since I worry about web caches that don't understand DNS TTL and I worry 
> even more about web caches that are intercepting rather than explicit.  POST 
> is presumed by web caches to be unique data to which a unique response will be 
> needed.
> 
> A side benefit of this is, the UPDATE opcode gets easy.
> 
> Feel free to respond 1x1, I would summarize.

Use GET, but if you want it to get through the most busted of web caches, do the following:

In the fetch, include cache-busters in the URL:  rather than things that translate to get http://dns_server/name/rtype use things like get http;//dns_server/name/rtype/NONCE


Web caches don't work.  In our experience, nearly 50% of those in Netalyzr tests cache things they shouldn't, so if the worry is cache-staleness, include a cache-buster. But you don't need to use POST to get through the bustedness if the URLs can have nonces in them.



And I'd have the return value be JSON rather than raw DNS on the wire.  Why?

Because since the point is validating DNSSEC, the HTTP-server should not just return the record asked for, but the whole signature chain that it has.  Since this is more information than a normal DNS reply, it might benefit from a new encoding.

And if you are going to do a new encording, JSON is the way to go:  it is FAR far easier to parse than any specialized format.


The other alternative is to say its "OK to put the whole signature chain in the additional field", in which case this would be DNS wire format, but that might be a good policy for ALL resolvers to support: why shouldn't a DNSSEC aware resolver provide the whole signature chain that it has in a reply?

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email