IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Mark Andrews <marka@isc.org> Tue, 04 October 2011 00:13 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EDE321F8F26; Mon, 3 Oct 2011 17:13:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317687217; bh=Htr6KJ9fR6fGQU5MQ5SaZKApqhiQewsYtJvPhKB4FJA=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=Op1Cx8xl8XM1gm2WGuVS+xGyH9e7zPrcT0yrhUqrJHEsi7QrGGYIrdwje4VjJCnIu f0FniHUwZoV3JkH+TyzqA68G1dO4tlr7WFhu8SL+3w2AgZxKQvRbqIiKmf/67lj6U2 +iSrCkwjrH8acw2qoLdKc876tUBh0zLJmhB4zLms=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6B721F8F26 for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 17:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2WirneynejAE for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 17:13:35 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 784C321F8F24 for <dnsext@ietf.org>; Mon, 3 Oct 2011 17:13:31 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id B7952C9496; Tue, 4 Oct 2011 00:16:16 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 692AC216C36; Tue, 4 Oct 2011 00:16:13 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 7ED7C149063F; Tue, 4 Oct 2011 11:15:47 +1100 (EST)
To: Mohan Parthasarathy <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com> <201110031713.20103.vixie@isc.org> <54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org> <CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com> <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
In-reply-to: Your message of "Mon, 03 Oct 2011 12:22:44 PDT." <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
Date: Tue, 04 Oct 2011 11:15:47 +1100
Message-Id: <20111004001547.7ED7C149063F@drugs.dv.isc.org>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>om>, Mohan Parthasarathy writes:
> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote:
> > On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org> wro=
> te:
> >>
> >> +1. The slight increase in programming difficulty of using POST vs. GET
> >> buys you a huge amount of flexibility in queries. It's not just about
> >> cache-prevention.
> >>
> >
> > All silver linings have their clouds...=A0 The only unfortunate thing abo=
> ut
> > POST, in my view, is that the flexibility can trend you away from
> > interoperability as people add and change things at=A0 different=A0 speed=
> s at
> > different hosts.=A0 If you want standard behavior the descending list goe=
> s:
> > New Method, GET, POST, at least in my view.
> >
> > Since new methods are notoriously hard to get deployed, POST seems like t=
> he
> > best choice if you want something that can handle any DNS operation.=A0 I=
> f it
> > is meant to be only retrieval, then I would personally say that keeping it
> > within GET is the best choice.
> >
> > I'm also increasingly of the opinion that this should have the validation
> > bits sets by default.=A0 Allowing a web site to update the local DNS cach=
> e for
> > a client system by including a reference and a DNS result for the referen=
> ce
> > causes my paranoia to ratchet up a few notches.=A0 The only other defense
> > against it I see is using Web results only in same-origin web contexts, a=
> nd
> > that's going to be very hard to make work.
> >
> 
> I am not sure I understand this concern fully. I guess you mean that
> you want to use this only with CD =3D1 which also implies that you want
> to use only with DNSSEC . Though this is the primary use case that
> this draft is trying to address, should we restrict it ? Previously,
> your concern was cache poisoning of the HTTP proxies having an impact
> on DNS. If we require HTTPS and POST, is this still a concern ?

DO=1 implies DNSSEC.  Stubs/forwarders SHOULD NOT set CD=1.  The
upstream validator needs to filter out the spoofed responses
on behalf of the stub/forwarder.

Also it is just a "DNS message".  UDP/TCP/HTTP/HTTPS is just the
transport for the DNS message.

> -mohan
> 
> > Ted
> >
> > _______________________________________________
> > dnsext mailing list
> > dnsext@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsext
> >
> >
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email