IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

David Conrad <drc@virtualized.org> Wed, 05 October 2011 14:22 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 613CE21F8D20; Wed, 5 Oct 2011 07:22:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317824561; bh=CNGa8e8exkBebEJOtzdLaP+MHbkR7A1CkkIkeNmmheg=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ZkWJZw4eIZmbXpfivAmp+dxvecfyC9OJ6TAXmMJ+iK/BCmLWAJpCvpAZU7QwPu4E/ H+lwwB+P/91ayAnrpnytA13/Eiwz6r0Og0hYA5bAWkyQ0RLPeqiYTRKT8qXVEjsm4A 9l4V5s3oKt2i6Y+OU+CZxuspB0h+lPy2zg5ytDEM=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF5821F8C74 for <dnsext@ietfa.amsl.com>; Wed, 5 Oct 2011 07:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.456
X-Spam-Level:
X-Spam-Status: No, score=-2.456 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7eaqmeRHmC0i for <dnsext@ietfa.amsl.com>; Wed, 5 Oct 2011 07:22:38 -0700 (PDT)
Received: from trantor.virtualized.org (trantor.virtualized.org [199.48.134.42]) by ietfa.amsl.com (Postfix) with ESMTP id 4FD9021F8D20 for <dnsext@ietf.org>; Wed, 5 Oct 2011 07:22:38 -0700 (PDT)
Received: from [192.168.1.101] (unknown [173.245.57.22]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: drc) by trantor.virtualized.org (Postfix) with ESMTPSA id BF2E61704E; Wed, 5 Oct 2011 14:25:39 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1244.3)
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAH1iCir9T0kSL=_-f_FW1jcfN3D+z5tHc18ML0L9h5Znm45vZw@mail.gmail.com>
Date: Wed, 05 Oct 2011 07:25:39 -0700
Message-Id: <24EEC86B-DE62-477E-8E77-1A8683803667@virtualized.org>
References: <20111004143947.205a61dff9fc1684c258b274662bb912.04bcda2f2f.wbe@email00.secureserver.net> <CAH1iCir9T0kSL=_-f_FW1jcfN3D+z5tHc18ML0L9h5Znm45vZw@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Oct 4, 2011, at 3:54 PM, Brian Dickson wrote:
> This proposal is a very lightweight and elegant (IMHO) counter-counter-measure.

Not really. It is a hack that, if implemented, will ensure there is no pressure to actually fix broken infrastructures.  Realistically:

- states-sponsored censorship will continue to occur: states have a tendency to insist on that sort of thing, with guns if necessary;
- folks intentionally blocking working DNS to force the use of their name servers will figure out a way to continue blocking DNS: I have sufficient faith in the tenacity of such folks that all this will do is result in a cat-and-mouse game (e.g., it won't be that hard to figure out which HTTP{,S} server IP addresses to blacklist);
- middlebox vendors and lazy DNS operators won't need to fix their DNS implementations because there is now a HTTP{,S} bypass for the folks that whine about such things; and
- we now have to saddle DNSSEC server implementations (auth and recursive) with yet more complexity.  Permanently.

This feels like the wrong way to solve this problem.

Regards,
-drc

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email