IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Ted Hardie <ted.ietf@gmail.com> Mon, 03 October 2011 20:22 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5883421F8DB5; Mon, 3 Oct 2011 13:22:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317673349; bh=nElUxfstoGHwekCRBJW2fjXQR1AE3tRU/9DvfsvjPYc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=P3yLFqEA9mCHqqnsMrLlieu4Rp/fcHOD4lDLvbPYx1oxIk23dB0qJr53+BAqXDvk1 YCxWotGftAKq75h2dsFMYEGCgYFDd7gFvVZ6cZC6CjotEqMwBcmiTUyW+l7TIS6T8U b6e5x5GcJJeqdDx8NDnvvYmSQPkS9YyTg4zt5Vzw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FB0521F8DB5 for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 13:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.505
X-Spam-Level:
X-Spam-Status: No, score=-3.505 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1i13q+mbHxi for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 13:22:25 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id A9B1921F8D4F for <dnsext@ietf.org>; Mon, 3 Oct 2011 13:22:25 -0700 (PDT)
Received: by yxt33 with SMTP id 33so4855318yxt.31 for <dnsext@ietf.org>; Mon, 03 Oct 2011 13:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vzeH9dDVX3ZTnvXnJ8gUySuLzefQyCZqQaCesv1svxI=; b=uckVYBcjFWwxa04LzQBkscLk4WD5yNoARfg0hBb9iW8rkJmUTZCVfKcZ0Hlg4qLXo9 DagLJYC3CaZTeZlrIG7Fwy5kpemsSEr3ZUiUg8XilMrrBmBO86DyTPs1YQtgI8yhFYi0 G5dCVNGwqzjNUiUu12I2J6e7F5L7ajHQOCdFM=
MIME-Version: 1.0
Received: by 10.236.127.144 with SMTP id d16mr2342327yhi.40.1317673528477; Mon, 03 Oct 2011 13:25:28 -0700 (PDT)
Received: by 10.236.105.169 with HTTP; Mon, 3 Oct 2011 13:25:27 -0700 (PDT)
In-Reply-To: <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <8F26AB69-C5BD-47BD-B3F4-6D840E419A23@verisign.com> <201110031713.20103.vixie@isc.org> <54E677EE-0720-4220-9FB8-17EDE978E904@vpnc.org> <CA+9kkMDT+=eBd_xMmZN_ceNdHKDxoCDH8rbyNtGs+OoN8=d25Q@mail.gmail.com> <CACU5sDmurSriLgrD9Pn_xAarfBxrjY0x9sRdJPrdkvJiJ6FJZQ@mail.gmail.com>
Date: Mon, 3 Oct 2011 13:25:27 -0700
Message-ID: <CA+9kkMDG3vpETecTHMCLdOf8SDpzum=vMC=mGBsSw5JaORMYig@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Mohan Parthasarathy <suruti94@gmail.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6681150518627548168=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Mon, Oct 3, 2011 at 12:22 PM, Mohan Parthasarathy <suruti94@gmail.com>wrote;wrote:

> On Mon, Oct 3, 2011 at 10:32 AM, Ted Hardie <ted.ietf@gmail.com> wrote:
> > On Mon, Oct 3, 2011 at 10:21 AM, Paul Hoffman <paul.hoffman@vpnc.org>
> wrote:
> >
> > I'm also increasingly of the opinion that this should have the validation
> > bits sets by default.  Allowing a web site to update the local DNS cache
> for
> > a client system by including a reference and a DNS result for the
> reference
> > causes my paranoia to ratchet up a few notches.  The only other defense
> > against it I see is using Web results only in same-origin web contexts,
> and
> > that's going to be very hard to make work.
> >
>
> I am not sure I understand this concern fully. I guess you mean that
> you want to use this only with CD =1 which also implies that you want
> to use only with DNSSEC . Though this is the primary use case that
> this draft is trying to address, should we restrict it ? Previously,
> your concern was cache poisoning of the HTTP proxies having an impact
> on DNS. If we require HTTPS and POST, is this still a concern ?
>
>
Well, I don't think you can functionally say that it can only be used with
DNSSEC at the protocol level; there's always the risk that you want to use
it for some zone that hasn't been signed.  But I think we're going to have
to strongly suggest that it should be used when DNSSEC validation can be
done and, if it has not been, how to handle the results with respect to the
local cache.

If I am a helpful web site with the ability to do this DNS return, I could
theoretically get slightly higher speed for web page loads by providing the
DNS data for the component loads along with the initial return.  If those
can be trusted because of DNSSEC validation, using the data and storing it
in the local cache for use by other applications (subject to TTL expiry
etc.) should be fine.  But if I cannot validate it, then I have to have some
other trust model for the data.  One potential model is to use (but likely
not store) data with the same origin as the web server from which I got it.
So if I land at financial.example.com, I use the data it gives me for
nasdaq.financial.example.com and sp500.financial.example.com, but not for
ftse.example.co.uk or, even worse, for social.network.com of
deposit.bank.com.

It's still a cache poisoning problem, but it is the local cache that might
be poisoned in this worry.

In the case where you are getting this from a 3rd party DNS provider which
supports HTTPS transport, the trust is presumably between you and that
provider.  That may be the initial use case.  But I'm guessing that once
this is available, other uses, included blended content/DNS returns will
occur.

regards,

Ted



-mohan
>
> > Ted
> >
> > _______________________________________________
> > dnsext mailing list
> > dnsext@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsext
> >
> >
>

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email