IETF Logo Mail Archive

Re: [dnsext] draft-bellis-dnsext-dnsproxy-00

Ray.Bellis@nominet.org.uk Tue, 04 November 2008 09:39 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 558153A68B8; Tue, 4 Nov 2008 01:39:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_UK=1.749, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcXtAaoF9cCF; Tue, 4 Nov 2008 01:39:37 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3BD6A3A67F1; Tue, 4 Nov 2008 01:39:36 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KxIII-000A4p-Ft for namedroppers-data@psg.com; Tue, 04 Nov 2008 09:33:50 +0000
Received: from [213.248.199.23] (helo=mx3.nominet.org.uk) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <Ray.Bellis@nominet.org.uk>) id 1KxIID-000A48-A2 for namedroppers@ops.ietf.org; Tue, 04 Nov 2008 09:33:47 +0000
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:In-Reply-To:References:To:Cc: Subject:MIME-Version:X-Mailer:Message-ID:From:Date: X-MIMETrack:Content-Type; b=roYLbpFeN94miAkYi/5DpQD9geFsl6OWngUEHiZ7SBqTbJxSJMTFfMlW pz4OIVpE9f2CKyknxGvHIP4EYT5NmAboc7eDCYS2KdJIOeAMrK8iOFZgh ZPxN4zdc45iZNZw;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=Ray.Bellis@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1225791225; x=1257327225; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Ray.Bellis@nominet.org.uk|Subject:=20Re:=20[dnse xt]=20draft-bellis-dnsext-dnsproxy-00|Date:=20Tue,=204=20 Nov=202008=2009:33:42=20+0000|Message-ID:=20<OF0155F3C0.9 31840D8-ON802574F7.0033CA35-802574F7.00348666@nominet.org .uk>|To:=20Wouter=20Wijngaards=20<wouter@NLnetLabs.nl> |Cc:=20namedroppers@ops.ietf.org|MIME-Version:=201.0 |In-Reply-To:=20<4910067D.6070606@nlnetlabs.nl> |References:=20<OF7E3816AF.C6D6EB41-ON802574F6.0076B6C3-8 02574F6.0077AF4E@nominet.org.uk>=20<4910067D.6070606@nlne tlabs.nl>; bh=tUcxeAWeI9hxUyh/PCL3gP//SLgfbKnJhHKZzGvPKkI=; b=1Jx3AbCwK5uHaNNCzmENEQOHxQUTbWdPs8aNvGcgDa6DreroN3LgbUX+ FvqNXgtgdu5jO2o1obs5TMpuDozySkbyhJXPa6SBmafk+hmxCbVs1QA4z d9eT+b3zHEpBKHq;
X-IronPort-AV: E=Sophos;i="4.33,542,1220223600"; d="scan'208";a="8773882"
Received: from notes1.nominet.org.uk ([213.248.197.128]) by mx3.nominet.org.uk with ESMTP; 04 Nov 2008 09:33:43 +0000
In-Reply-To: <4910067D.6070606@nlnetlabs.nl>
References: <OF7E3816AF.C6D6EB41-ON802574F6.0076B6C3-802574F6.0077AF4E@nominet.org.uk> <4910067D.6070606@nlnetlabs.nl>
To: Wouter Wijngaards <wouter@NLnetLabs.nl>
Cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] draft-bellis-dnsext-dnsproxy-00
MIME-Version: 1.0
X-Mailer: Lotus Notes Build V85_M2_08202008 August 20, 2008
Message-ID: <OF0155F3C0.931840D8-ON802574F7.0033CA35-802574F7.00348666@nominet.org.uk>
From: Ray.Bellis@nominet.org.uk
Date: Tue, 04 Nov 2008 09:33:42 +0000
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 04/11/2008 09:33:43 AM, Serialize complete at 04/11/2008 09:33:43 AM
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

[re non-label pointers]
> Well, it could certainly be useful for compression of DNSSEC packets. I
> have not tried to do so for interoperability reasons.  But, for DNSSEC
> packets the RRSIG rdata cannot be compressed, but if put in the packet
> first, it can be used to compress *to*.

It could, but what's the likelyhood that the wire-format RRSIG data would 
look remotely like a legal label?

> Could you refrain from making this impossible? The draft is about stubs
> anyway, just leave out 'at the start of another label'.
>
> I would also leave out the backpointing requirement.  I would rather not
> have my firewall check to make sure compression pointers point back.

Please note that this section of the draft talks about things that MAY be 
considered acceptable for a DPI firewall to block.  The main thrust of the 
draft is that unless they've got a _really_ good reason they shouldn't 
block the packets based on their content at all.

[re: trailing garbage]
> > Interesting...  in my earlier research we were more concerned with 
missing 
> > data, and never noticed extraneous data.  Is this a common occurrence?
> 
> Yes.

Has anyone ever looked to find out why this happens?

Ray


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email