Re: [dnsext] draft-mohan-dns-query-xml-00.txt

[Paul Wouters <paul@xelerance.com>]

On Sat, 1 Oct 2011, Paul Vixie wrote:

> "plain old DNS wire format".  I truly do only expect this transport to be used
> when the normal UDP/53 and TCP/53 paths are middlebox-corrupted.

I am not sure people agree on the user cases for this.

If you truly think you are addressing the middlebox problem, most likely
you could just run the DNS over port 54 or 80/443.

This proposal does not at all address the problem where DNS is mangled due
to hotspot and captive portal scenarios. Once you work around that scenario,
for example like with the dnssec-trigger experiment that's still far from
workable to non-engineers, you usually get a clean connection with the
exception of port 53 mangling, which just moving to another port seems to
almost always fix it (with 80/443 having a slightly better chance then a
random port.

Doing DNS-over-HTTP is still going to get broken results in captive portals.

What dnssec-trigger is trying to do now is:
- selectable (but should be automatic) hot spot mode where you allow
   insecure dns only to go past captivity
- attempt to use DHCP assigned DNS servers as cache, validate locally
   - if broken, try and query auth servers directly
     - if broken, try an open resolver on port 80/443
       - if broken give user option for "insecure or cached only"

Aside from this, we have the new dnssec chains via alternative source,
both as a speedup and as a workaround using a leap of faith in TLS. this
is useful, though not a replacement for the above. It would also be nice
if any dnssec-chain extension would use some kind of standard so we can
feed it into a validating caching server.

Doing dns-over-http for broken middlewhere alone is going to be a partial
solution that is not going to be very useful on its own.

Paul

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext