IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Mohan <suruti94@gmail.com> Tue, 04 October 2011 03:14 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A478721F8EE0; Mon, 3 Oct 2011 20:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317698098; bh=cGSUh5MnOn/CHgwTCn4t41FHlFM09smNgumD51EhLs0=; h=References:In-Reply-To:Mime-Version:Message-Id:From:Date:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=NIqHIGBYuDnRGhXyhtHqoLkb4LGJC+MNKK2HIVLvth6C/jm9BaU393lYlj82o9bGE KD6HbArdjhI4oIxxX4aPQT30CRA6c9Ph7a91LomInK0PUQKmrSkMq6KIyMHZnSpv3d Lww5KVHlRxHfjDAYKIzEVqIynTINs/T/hF6Pv2Fw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2224921F8EE0 for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 20:14:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.397
X-Spam-Level: **
X-Spam-Status: No, score=2.397 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_LIST=2.3, MANGLED_WANT=2.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CL8ytoH4aToS for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 20:14:56 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 43FFD21F8EDF for <dnsext@ietf.org>; Mon, 3 Oct 2011 20:14:56 -0700 (PDT)
Received: by gyd12 with SMTP id 12so67922gyd.31 for <dnsext@ietf.org>; Mon, 03 Oct 2011 20:17:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; bh=qRB4W0qv2h9DsV/M2oyDWoUwwAIh4DUg/O5w3hplTwM=; b=j59X+SlF3qpAqSV/Dq6CDSk924jPOsx+xHSgtNLl7WiomsG97+NlRI81bIbHjdDHou s0gDTBD6LJo39h625W1uzBS5u1fa6mSA+WAlfbVymLxffu82a4ltEVL+Z9ap4RbgU5Of h3M9AvGFgELTEVbH9HzFh2mKlPHvqpizDHLlY=
Received: by 10.236.143.99 with SMTP id k63mr3672123yhj.64.1317698278959; Mon, 03 Oct 2011 20:17:58 -0700 (PDT)
Received: from [10.89.135.116] ([166.205.138.53]) by mx.google.com with ESMTPS id w70sm18148120yhk.6.2011.10.03.20.17.56 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 03 Oct 2011 20:17:58 -0700 (PDT)
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com> <201110031713.20103.vixie@isc.org> <54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org> <CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com> <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com> <20111004001547.7ED7C149063F@drugs.dv.isc.org> <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com> <20111004025502.504DD14924EC@drugs.dv.isc.org>
In-Reply-To: <20111004025502.504DD14924EC@drugs.dv.isc.org>
Mime-Version: 1.0 (iPhone Mail 8L1)
Message-Id: <F168B690-446E-4BFD-82F9-5031FF12BE27@gmail.com>
X-Mailer: iPhone Mail (8L1)
From: Mohan <suruti94@gmail.com>
Date: Mon, 3 Oct 2011 20:17:48 -0700
To: Mark Andrews <marka@isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Oct 3, 2011, at 7:55 PM, Mark Andrews <marka@isc.org> wrote:

> 
> In message <CACU5sD=2HSCi4VKT235APU7aS7bqk_Czzf_CmdN9fXpEF61s0A@mail.gmail.com>
> , Mohan Parthasarathy writes:
>> On Mon, Oct 3, 2011 at 5:15 PM, Mark Andrews <marka@isc.org> wrote:
>>> 
>>> In message <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmai=
>> l.com>, Mohan Parthasarathy writes:
>>>> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote:
>>>>> On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org> =
>> wro=3D
>>>> te:
>>>>>> 
>>>>>> +1. The slight increase in programming difficulty of using POST vs. G=
>> ET
>>>>>> buys you a huge amount of flexibility in queries. It's not just about
>>>>>> cache-prevention.
>>>>>> 
>>>>> 
>>>>> All silver linings have their clouds...=3DA0 The only unfortunate thin=
>> g abo=3D
>>>> ut
>>>>> POST, in my view, is that the flexibility can trend you away from
>>>>> interoperability as people add and change things at=3DA0 different=3DA=
>> 0 speed=3D
>>>> s at
>>>>> different hosts.=3DA0 If you want standard behavior the descending lis=
>> t goe=3D
>>>> s:
>>>>> New Method, GET, POST, at least in my view.
>>>>> 
>>>>> Since new methods are notoriously hard to get deployed, POST seems lik=
>> e t=3D
>>>> he
>>>>> best choice if you want something that can handle any DNS operation.=
>> =3DA0 I=3D
>>>> f it
>>>>> is meant to be only retrieval, then I would personally say that keepin=
>> g it
>>>>> within GET is the best choice.
>>>>> 
>>>>> I'm also increasingly of the opinion that this should have the validat=
>> ion
>>>>> bits sets by default.=3DA0 Allowing a web site to update the local DNS=
>> cach=3D
>>>> e for
>>>>> a client system by including a reference and a DNS result for the refe=
>> ren=3D
>>>> ce
>>>>> causes my paranoia to ratchet up a few notches.=3DA0 The only other de=
>> fense
>>>>> against it I see is using Web results only in same-origin web contexts=
>> , a=3D
>>>> nd
>>>>> that's going to be very hard to make work.
>>>>> 
>>>> 
>>>> I am not sure I understand this concern fully. I guess you mean that
>>>> you want to use this only with CD =3D3D1 which also implies that you wan=
>> t
>>>> to use only with DNSSEC . Though this is the primary use case that
>>>> this draft is trying to address, should we restrict it ? Previously,
>>>> your concern was cache poisoning of the HTTP proxies having an impact
>>>> on DNS. If we require HTTPS and POST, is this still a concern ?
>>> 
>>> DO=3D1 implies DNSSEC. =A0Stubs/forwarders SHOULD NOT set CD=3D1. =A0The
>>> upstream validator needs to filter out the spoofed responses
>>> on behalf of the stub/forwarder.
>>> 
>>> Also it is just a "DNS message". =A0UDP/TCP/HTTP/HTTPS is just the
>>> transport for the DNS message.
>>> 
>> 
>> If a validating stub resolver can set CD =3D 1 for UDP/TCP why not for
>> HTTP or HTTPS ?
> 
> A validating stub resolver really doesn't want to set CD=1, by
> default.  If it gets SERVFAIL back to a CD=0 query then resending
> with CD=1, may help if the SERVFAIL was a validation failure caused
> by a bad clock on the recursive server / out of date trust anchors.
> A stub resolver *needs* the upstream server to weed out the bogus
> responses due to spoofing or, more likely, operational stuff ups
> and only pass through those that pass validation.  Remember a stub

Why does a validating stub resolver care ? If there was spoofing or other problems, it can find out itself. It is much easier to set CD=1 always. 

-mohan

> resolver does not have access to multiple authoritative sources,
> only the recursive server does.  If you are willing to bet that
> every response you get back is good then always set CD=1 otherwise
> CD=1 should only be set if the CD=0 lookup fails.
> 
>> -mohan
>> 
>>>> -mohan
>>>> 
>>>>> Ted
>>>>> 
>>>>> _______________________________________________
>>>>> dnsext mailing list
>>>>> dnsext@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dnsext
>>>>> 
>>>>> 
>>>> _______________________________________________
>>>> dnsext mailing list
>>>> dnsext@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dnsext
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: marka@is=
>> c.org
>>> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email